Smart Contract / DOS with Failed Call
Description
DoS with Failed Call (CWE-400) is a type of Smart Contract vulnerability that occurs in SWC (Solidity). It is a type of attack where an attacker can cause an internal function of the contract to enter an infinite loop, which causes the contract to lock up and stop functioning. This type of attack can be used to prevent the contract from responding to legitimate requests, such as transactions and calls. Additionally, this type of attack is difficult to detect, because the attack does not involve any external access to the contract. The OWASP Testing Guide provides detailed information on how to detect and prevent this type of vulnerability.
Risk
This vulnerability can have a high risk in terms of financial losses or data breach. An attacker could use DoS with Failed Call to lock up a contract and prevent it from responding to legitimate requests, thus preventing users from interacting with the contract. This could result in financial losses or an attacker gaining access to user data.
Solution
The best way to prevent this type of attack is by using a secure coding practice to ensure that the contract code is robust and free from vulnerabilities. Additionally, security testing should be conducted on the contract code to detect and fix any vulnerabilities before the contract is deployed. Additionally, the contract should also be monitored for any suspicious activity and any suspicious activity should be investigated.
Example
The following is an example of a vulnerable contract code from the CVE (CVE-2020-12658) directory.
contract DoSCall {
bool public isTriggered;
function DoSCall() public {
isTriggered = false;
}
function triggerDoS() public {
isTriggered = true;
doSCall(msg.sender);
}
function doSCall(address _target) private {
if (!isTriggered) return;
_target.call.value(1 ether)();
doSCall(_target);
}
}
The above code contains a vulnerability whereby an attacker can call the triggerDoS() function, which will cause the doSCall() function to enter an infinite loop, causing the contract to lock up.
Related incidents
- Parity Multisig Hack: In July 2017, a vulnerability in the Parity Multisig contract was exploited, resulting in the theft of over $30 million worth of Ethereum. This vulnerability was caused by a DoS with Failed Call bug.
- Upbit Crypto Exchange Hack: In November 2019, an attacker exploited a DoS with Failed Call vulnerability in an Upbit Ethereum smart contract, resulting in the theft of $49 million worth of Ethereum.
- Bancor Network Hack: In July 2018, a DoS with Failed Call vulnerability was exploited by an attacker, resulting in the theft of $23.5 million worth of Ethereum.
- Aragon Network Hack: In August 2020, an attacker exploited a DoS with Failed Call vulnerability in the Aragon Network, resulting in the theft of $25 million.
- Aave Protocol Hack: In November 2020, an attacker exploited a DoS with Failed Call vulnerability in the Aave protocol, resulting in the theft of $25 million worth of Ethereum.