TOB-FUEL-35: Gas for hashing is not dependent on amount of words hashed

[xgreenx]

Description

The K256 and S256 instructions use constant gas even though they iterate over the memory range b..b + c. Therefore, the actual cost of these instructions should depend on the parameter c.

Figure 36.1: Code for charging gas for hashing. (fuel-vm/fuel-vm/src/interpreter/executors/instruction.rs#808–818)

Instruction::K256(k256) => {
    self.gas_charge(self.gas_costs.k256)?;
    let (a, b, c) = k256.unpack();
    self.keccak256(r!(a), r!(b), r!(c))?;
}
Instruction::S256(s256) => {
    self.gas_charge(self.gas_costs.s256)?;
    let (a, b, c) = s256.unpack();
    self.sha256(r!(a), r!(b), r!(c))?;
}

The fuzzer from the fuzzing appendix (see appendix E) uncovered this issue, as input execution of the hashing functions with a large C, caused a timeout.

Exploit Scenario

An attacker deploys a contract which heavily uses the above hashing functions. With very little gas consumption the attack can put a lot of stress on the network. Depending on how much gas the attacker invests the whole network could be blocked.

Recommendations

Short term, switch to a dependent gas calculation depending on c. We verified this fix by fuzzing. After applying a dependent gas charge, the VM no longer caused a timeout.
Long term, deploy the fuzzer described in the fuzzing appendix (see appendix E). By using a reasonably low timeout of 100ms to 1s it is possible to catch bugs like this.

[xgreenx]

Fixed with #537, requires follow-up PR on the fuel-core side FuelLabs/fuel-core#1325