Smart Contract / DOS with Block Gas Limit

Description

DoS With Block Gas Limit is a vulnerability of the Smart Contract category, which has been identified in the Smart Contract Wallet (SWC). It is classified as CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion'), according to the CWE directory. According to the OWASP Testing Guide, this attack occurs when a smart contract has an insufficient gas limit set, allowing an attacker to exhaust the available gas, causing the contract to run out of gas before execution completes.

Risk

This vulnerability can have a severe impact on the availability of the smart contract, as an attacker can completely exhaust the available gas, causing the contract to fail. This can lead to a Denial of Service (DoS) attack, as the contract will no longer be able to execute any transactions.

Solution

The best way to resolve this vulnerability is to ensure that the gas limit is set to a value that is appropriate for the task at hand. This can be done by setting the gas limit to the maximum amount of gas that is needed to execute the contract. Additionally, the account should be monitored for any suspicious activity, as this can help detect any potential attackers.

Example

The following code example, taken from CVE-2020-7481, shows how a DoS With Block Gas Limit attack can be performed. The code sets the gas limit of a transaction to an insufficient value, which results in the contract failing due to insufficient gas.

contract Test {
  function test() public {
    uint gas = 10000000000;
    //set gas limit to an insufficient value
    gas = gas - 100000;
    transaction(gas);
  }
}