Adversary can cause malicious slashing of operators by creating malicous token and setting gas limit above chain block gas limit

[code423n4]

Lines of code

https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L301-L439

Vulnerability details

Impact

Operators maliciously slashed

Proof of Concept

A user can create a malicious token that when called by anyone other than themselves and the bridge use an extreme amount of gas. They create a bridge request with a gas limit higher than the block limit. If an operator tries to call execute they will always run out of gas. Meanwhile the malicious user can call the token for very little gas. The malicious user calls the request to slash the operator

Tools Used

Manual Review

Recommended Mitigation Steps

Ensure gas limit is not higher than destination block gas limit

[Minh-Trng]

a low level call will retain some gas for the parent https://eips.ethereum.org/EIPS/eip-150 so the rest of the code should still be able to execute

[gzeoneth]

If the gasLimit is above block/tx gas limit, this will always revert and no one can execute the job and no slashing can occur.

Also attacker need to pay gasPrice * gasLimit upfront which can be huge if the gasLimit is set to very high.

[gzeoneth]

Can be a duplicate of #364

[0xA5DF]

#364 makes the attack cheaper, but even if #364 was fixed, the attack would still be possible, and as I've shown at #414 it can cost a few bucks to do it on Polygon and Avalanche.

[gzeoneth]

I don't think slashing is possible, the block gas limit issue is a dupe of #414