nmirchev8_ctf Incorrect gas computation

[Divyanshu-Madhav]

Vulnerability

The vulnerability lies in the gas calculation logic within the _callWithExactGasSafeReturnData function. Specifically, the variable g is assigned the current gas value before the gas check:

let g := gas()

The subsequent check:

if lt(g, gasForCallExactCheck) {
    mstore(0x0, NO_GAS_FOR_CALL_EXACT_CHECK_SIG)
    revert(0x0, 0x4)
}

is performed without updating g to account for the gas used during this check. After this, the new gas value is calculated:

g := sub(g, gasForCallExactCheck)

However, this calculation does not account for the gas used during the previous check, leading to an overestimated value of g. As a result, when performing the final gas comparison:

if iszero(gt(sub(g, div(g, 64)), gasLimit)) {
    mstore(0x0, NOT_ENOUGH_GAS_FOR_CALL_SIG)
    revert(0x0, 0x4)
}

the comparison might falsely pass, leading to a scenario where the contract attempts to call the target with less gas than intended.

Impact

The impact of this vulnerability is that the contract may behave non-deterministically. Specifically, when the gas passed by the caller is strictly controlled, the contract might fail to revert as expected and proceed with the call, but with insufficient gas. This could lead to failed operations within the target contract, which contradicts the intended functionality of this contract . The call to the target contract may revert due to insufficient gas .

Solution

One way is to guess the gas that will be used for the check on the basis of the memory size and the dynamic behaviour of lt opcode.

[NicolaMirchev]

This is not a problem, because gasForCallExactCheck is configured to be enough for both:

if lt(g, gasForCallExactCheck) 

and

if iszero(gt(sub(g, div(g, 64)), gasLimit)) {
    mstore(0x0, NOT_ENOUGH_GAS_FOR_CALL_SIG)
    revert(0x0, 0x4)
}

checks.