Audit: too much gas for feeder calls

[ureeves]

Summary

Currently a feeder call is performed with the maximum amount of gas possible. This is ok for contracts that the host controls, but may become a problem for contract it does not. If a contract is malicious it may simply loop forever, and never provide any data, and effectively allow the chain to be DOSed.

piecrust/piecrust/src/session.rs

Line 486 in a681491

let r = self.call(contract, fn_name, fn_arg, u64::MAX);

Possible Solution (Optional)

Allow the caller to determine the gas with which the feeder call can be executed with.

[herr-seppia]

Isn't the gas_limit coherent with the one specified in the session?
I mean, the idea is that even if user specify u64::MAX for feeder call, it should still be constrained by the session limit.
If that's not the case, I suspect that the proposal PR would not fix the underlying issue, since a malicious contract could still use an arbitrary gas limit

[ureeves]

I'm not sure what you mean by "specified in the session". There is no session-bound gas limit. All gas limits are given with each call, this is the only exception.

[herr-seppia]

Sorry, I was too focus on the consumer side (rusk)

This is ok for contracts that the host controls, but may become a problem for contract it does not

About this, is it ok to say that the only way to call a contract without the "host" controls is to call it with an ICC?
If so, the gas limit will be specified by the parent call, so even if the malicious contract will specify u64::MAX it will be constraint by the ICC gas limit

Or are you thinking to a different and/or more generic use case?

[ureeves]

Sorry, I was too focus on the consumer side (rusk)

This is ok for contracts that the host controls, but may become a problem for contract it does not

About this, is it ok to say that the only way to call a contract without the "host" controls is to call it with an ICC? If so, the gas limit will be specified by the parent call, so even if the malicious contract will specify u64::MAX it will be constraint by the ICC gas limit

Or are you thinking to a different and/or more generic use case?

A contract calling a feeder call through an ICC will result in a panic, so we only need to worry about the host calling the contract. When third-party contracts become allowed, we can't trust that giving limitless funds to it is safe, so we should probably limit setting infinite gas to the genesis contracts (contracts we control).