Smart Contract / Message Call with Hardcoded Gas Amount

Description

Message call with hardcoded gas amount is a type of vulnerability found in Smart Contracts. This vulnerability occurs when a message call is made with a hardcoded gas amount that is not sufficient for the call to be executed. This can lead to further issues such as the smart contract not functioning correctly or an attacker being able to exploit the contract. This type of vulnerability is classified as CWE-826, which is also known as an Insufficient Control of Gas Usage. Additionally, this type of vulnerability can be found in the OWASP Testing Guide.

Risk

The risk associated with this vulnerability is that it can lead to further issues with the smart contract. This could include a contract not functioning correctly or an attacker being able to exploit the contract. Additionally, this type of vulnerability can be used to exhaust the contract’s gas budget, leading to a Denial of Service attack.

Solution

The solution to this vulnerability is for developers to ensure that all message calls are made with an appropriate gas amount. This gas amount should be calculated properly to ensure that it is sufficient for the message call to be executed. Additionally, developers should ensure that all message calls have a fail-safe in case the gas amount is insufficient.

Example

contract MyContract {
  function myFunction() public payable {
    // Call with hardcoded gas amount of 2000
    myOtherFunction.value(msg.value)(2000);
  }
}