Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong gas price calculation in eth_send_raw_unsigned_tx could lead to suboptimal transaction pricing #125

Closed
c4-bot-8 opened this issue Oct 19, 2024 · 1 comment
Closed

Wrong gas price calculation in eth_send_raw_unsigned_tx could lead to suboptimal transaction pricing #125

c4-bot-8 opened this issue Oct 19, 2024 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working edited-by-warden 🤖_47_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-8
Copy link
Contributor

c4-bot-8 commented Oct 19, 2024
edited by c4-bot-9
Loading

Lines of code

https://github.com/kkrt-labs/kakarot/blob/7411a5520e8a00be6f5243a50c160e66ad285563/src/kakarot/eth_rpc.cairo#L304-L307

Vulnerability details

Proof of Concept

eth_rpc.cairo::eth_send_raw_unsigned_tx underprices transactions, which could lead to delayed or failed transactions in congested network conditions.

Take a look at this part of the code:

https://github.com/kkrt-labs/kakarot/blob/7411a5520e8a00be6f5243a50c160e66ad285563/src/kakarot/eth_rpc.cairo#L304-L307

let possible_priority_fee = tx.max_fee_per_gas - block_base_fee;
let priority_fee_is_max_priority_fee = is_nn(
    possible_priority_fee - tx.max_priority_fee_per_gas
);
let priority_fee_per_gas = priority_fee_is_max_priority_fee * tx.max_priority_fee_per_gas + (
    1 - priority_fee_is_max_priority_fee
) * possible_priority_fee;
let effective_gas_price = priority_fee_per_gas + block_base_fee;

The problem is in the calculation of priority_fee_per_gas. The logic attempts to choose between tx.max_priority_fee_per_gas and possible_priority_fee, but it does so incorrectly.

The issue is that priority_fee_is_max_priority_fee is set to 1 when possible_priority_fee is greater than or equal to tx.max_priority_fee_per_gas, which is the opposite of what we actually want. This means that when the possible_priority_fee is larger, the function will choose tx.max_priority_fee_per_gas instead of the smaller value.

As a result, in some cases, the priority_fee_per_gas could be set higher/lower than intended leading to users paying more/less in gas fees than necessary.

In most cases, transactions may be underpriced relative to what the user is willing to pay. In congested network conditions, transactions may end up being delayed or failing to be processed cos they're not utilizing the full gas price the user was willing to pay.

Short Note:

I discussed this issue with the sponsors and they confirmed this bug case

Recommended Mitigation Steps

The calculation of priority_fee_is_max_priority_fee should be inverted.

- let priority_fee_is_max_priority_fee = is_nn(
-     possible_priority_fee - tx.max_priority_fee_per_gas
- );
+ let priority_fee_is_max_priority_fee = is_nn(
+     tx.max_priority_fee_per_gas - possible_priority_fee
+ );

Assessed type

Error
@c4-bot-8 c4-bot-8 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 19, 2024
c4-bot-10 added a commit that referenced this issue Oct 19, 2024
@c4-bot-10
Rhaydden issue #125
33391ce
@c4-bot-12 c4-bot-12 added the 🤖_47_group AI based duplicate group recommendation label Oct 25, 2024
@howlbot-integration howlbot-integration bot added the insufficient quality report This report is not of sufficient quality label Oct 28, 2024
howlbot-integration bot added a commit that referenced this issue Nov 9, 2024
@howlbot-integration
Rhaydden update issue #125
3403ce0
@howlbot-integration howlbot-integration bot added sufficient quality report This report is of sufficient quality and removed insufficient quality report This report is not of sufficient quality labels Nov 9, 2024
@dmvt dmvt mentioned this issue Nov 9, 2024
Closed
@dmvt
Copy link

dmvt commented Nov 9, 2024

@Rhaydden thank you for flagging this. I've promoted it: code-423n4/2024-09-kakarot-findings#133

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working edited-by-warden 🤖_47_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dmvt @code4rena-admin @c4-bot-8 @c4-bot-12