Skip to content

Latest commit

 

History

History
50 lines (30 loc) · 1.74 KB

040.md

File metadata and controls

50 lines (30 loc) · 1.74 KB

Dandy Caramel Tortoise

Medium

Loan repayment can be intentionally done with slightly less than 80k gas

Summary

Incorrect check will cause the loanRepaymentListener to receive less than 80k gas limit

Root Cause

The check performed before making the call to loanRepaymentListener is that there is atleast 80k gasleft

        if (loanRepaymentListener != address(0)) {
            require(gasleft() >= 80000, "NR gas");  //fixes the 63/64 remaining issue
            try
                ILoanRepaymentListener(loanRepaymentListener).repayLoanCallback{
                    gas: 80000
                }( //limit gas costs to prevent lender preventing repayments
                    _bidId,
                    _msgSenderForMarket(bid.marketplaceId),

But this will fail to send 80k gas to the loanRepaymentListener due to the 63/64 rule ie. if 81250 gas is present, then only (81250 * 63/64 == 79980) gas will be sent. If the loanRepaymentListener expects exactly 80k gas for its execution, it will cause its execution to revert

Internal pre-conditions

loanRepaymentListener should need very close to 80k gas for its execution

External pre-conditions

No response

Attack Path

  1. The loan is repaid with a gas amount such that the gas sent to loanRepaymentListener is less than 80k

Impact

Attacker can intentionally make the execution of loanRepaymentListener revert

PoC

No response

Mitigation

Keep a buffer and not the exact amount so that there is exactly 80k gas to be sent to the loanRepaymentListener