TOB-FUEL-30: Expensive instruction SWWQ with constant gas

[xgreenx]

Description

The SWWQ (State write sequential 32 byte slots) instruction consumes constant gas, but its execution time depends linearly on the parameter D. The following figure shows the contract code which contains the expensive instructions.

Figure 30.1: Expensive instruction.

op::divi(0x11, RegId::HP, 32),
op::swwq(RegId::ZERO, 0x10, RegId::ZERO, 0x11), // expensive

The severity of this issue is limited by the fact that SWWQ checks the value of the parameter D, which is limited by the memory size. The contract above can be invoked as described in figure 29.2.
Similarly to #565, a loop bound by the parameter D causes a long execution time. The following figure shows the loop.

Figure 30.2: Loop based on the parameter D of SWWQ. (fuel-vm/fuel-vm/src/storage/memory.rs#379–414)

fn merkle_contract_state_range(
    &self,
    id: &ContractId,
    start_key: &Bytes32,
    range: Word,
) -> Result<Vec<Option<Cow<Bytes32>>>, Self::DataError> {
    let start: ContractsStateKey = (id, start_key).into();
    let end: ContractsStateKey = (id, &Bytes32::new([u8::MAX; 32])).into();
    let mut iter = self.memory.contract_state.range(start..end);
    let mut next_item = iter.next();
    Ok(std::iter::successors(Some(**start_key), |n| {
        let mut n = *n;
        if add_one(&mut n) {
        None
        } else {
        Some(n) }
        }) .map(...)
            .take(range as usize)
            .collect())
}

Exploit Scenario

An attacker deploys a contract that includes a malicious SWWQ instruction. With little gas an attacker can put a significant amount of stress on the network.

Recommendations

Short term, charge gas which dynamically depends on the parameter D.
Long term, deploy the fuzzer from the fuzzing appendix (see appendix E). By using a
reasonably low timeout of 100ms to 1s it is possible to catch bugs like this.

[xgreenx]

Fixed with #537, requires follow-up PR on the fuel-core side FuelLabs/fuel-core#1325