Withdrawals with high gas limits can be bricked by a malicious user, permanently locking funds

PreviousGas Griefing Contest Findings NextGas limit check is inaccurate, leading to an operator being able to fail a job intentionally

Last updated 1 year ago

Optimism Contest finding by Zach Obront

The vulnerability is related to the calculation of gas limits when executing a withdrawal transaction from the Optimism Portal. Here's an explanation of the vulnerability and a recommended fix:

In the finalizeWithdrawalTransaction function, there is a check to ensure that the amount of gas supplied to the call to the target contract is at least the gas limit specified by the user. The code uses the gasleft() function to check the remaining gas and compares it to _tx.gasLimit + FINALIZE_GAS_BUFFER.

However, there is one way that gas limits are calculated in the Ethereum Virtual Machine (EVM). The EVM limits the total gas forwarded to 63/64ths of the gasleft() value. So, if the gas limit specified by the user is large enough, the amount of gas forwarded to the target contract may be less than the gas limit requested by the user.

This creates a vulnerability because a user can send a transaction with a high gas limit that passes the initial check but ends up forwarding less gas than expected. This can result in the withdrawal transaction failing and permanently locking the funds in the Optimism Portal contract.

To fix this vulnerability, you should adjust the gas check to account for the 63/64ths rule. Here's the recommended fix:

require(
    gasleft() >= (_tx.gasLimit + FINALIZE_GAS_BUFFER) * 64 / 63,
    "OptimismPortal: insufficient gas to finalize withdrawal"
);

By multiplying the gas limit and buffer by 64/63, you ensure that enough gas is available for the call, considering the EVM's gas forwarding limitation.

It's important to implement this fix to prevent potential fund loss due to failed withdrawal transactions with high gas limits.