TOB-FUEL-40: MCPI instruction is not charging gas depending on the input value

[xgreenx]

Description

The instruction MCPI (copy memory) currently does not charge depending on the amount of memory which is being copied.

Figure 41.1: MCPI is missing a dependent gas charge. (fuel-vm/fuel-vm/src/interpreter/executors/instruction.rs#654–666)

Instruction::MCP(mcp) => {
    let (a, b, c) = mcp.unpack();
    let len = r!(c);
    self.dependent_gas_charge(self.gas_costs.mcp, len)?;
    self.memcopy(r!(a), r!(b), len)?;
}
Instruction::MCPI(mcpi) => {
    self.gas_charge(self.gas_costs.mcpi)?;
    let (a, b, imm) = mcpi.unpack();
    let len = imm.into();
    self.memcopy(r!(a), r!(b), len)?;
}

Exploit Scenario

An attacker deploys a contract which heavily uses the above MCPI instruction. With very little gas consumption the attack can put a lot of stress on the network. Depending on how much gas the attacker invests the whole network could be blocked.

Recommendations

Short term, introduce a dependent cost for the MCPI instruction
Long term, reevaluate the execution time of programs using a corpus obtained through fuzzing.

[xgreenx]

Fixed with #537, requires follow-up PR on the fuel-core side FuelLabs/fuel-core#1325