Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TOB-FUEL-38: SRWQ instruction is priced inadequately #571

Closed
xgreenx opened this issue Aug 29, 2023 · 2 comments
Closed

TOB-FUEL-38: SRWQ instruction is priced inadequately #571

xgreenx opened this issue Aug 29, 2023 · 2 comments
Assignees
@Dentosal
Labels
audit-report Issue from the audit report

Comments

@xgreenx
Copy link
Collaborator

xgreenx commented Aug 29, 2023
edited
Loading

Description

Using the technique outlined in appendix F we identified several instructions which might not be priced adequately.
One result from this evaluation is that the SRWQ instruction charges gas dependent on the parameter D, though it seems like its consumption is inadequate with respect to the execution time of this instruction. The default cost for it is right now a dependent cost with base 54 and dependent cost per unit of 2.
The SRWQ instruction contains an expensive call to merkle_contract_state_insert_range, which might be inadequately priced. The following figure contains a base64 encoded program which uses the SRWQ function and executes for several seconds.

Figure 38.1: Base64 program which uses SRWQ and consumes relatively high CPU time.

kAAABEcAAAoaMwAAGkQAADND8AAWQRQAc0AAFxBBNIAlP+wAEEUQQBtD8AHnQUwBE0EAUClAAGEQSSRAVgAA
EkQGAlr////////IyMjICQAAAAD1AAAAAAAAAYQV/MABEP/zAGFBARQtQUlJSUlJSUlJ4JAAAEHgkAAABEcA
AAAArb7vVWbOqgCtvu9VZs6qGuxQAJEABrhdQ+gREEEDAF1X8BI7OzsvO/9/Ozs7Ozs7S/AUEEkjOXJMMSAp
TAQgEE+0wHJQACA5TRXwUEkACHJMAMAQT7TAclAAIEtNFfBQUAAgOU0V8FBJAAhyTABAKkkUwFAgG1BgAKio
qBBRNQByVAAgKFEFQJBQACAbUBUA

Note that this is a result of a quantitative analysis and that more benchmarking is required to validate whether the gas consumption of SRWQ is inadequate or not.

Exploit Scenario

An attacker deploys a contract which heavily uses the SRWQ instruction. With very little gas consumption the attack can put a lot of stress on the network. Depending on how much gas the attacker invests the whole network could be blocked.

Recommendations

Short term, evaluate a better value for the dependent cost of SRWQ.
Long term, reevaluate the execution time of programs using a corpus obtained through fuzzing.
@xgreenx xgreenx added the audit-report Issue from the audit report label Aug 29, 2023
@xgreenx
Copy link
Collaborator Author

xgreenx commented Aug 29, 2023
edited
Loading

SRWQ only has the merkle_contract_state_range call inside. So maybe the report is related to another opcode. Or something is wrong with description of the issue for SRWQ. We need to investigate the problem during FuelLabs/fuel-core#1306. Maybe it will be fixed by FuelLabs/fuel-core#1239.

@xgreenx xgreenx mentioned this issue Aug 29, 2023
Closed
@Dentosal Dentosal self-assigned this Oct 10, 2023
@xgreenx
Copy link
Collaborator Author

xgreenx commented Oct 26, 2023

The issue is fixed with updated benchmarks FuelLabs/fuel-core#1427.

BTW, we plan to limit sequential opcodes with upper bound #611.

@xgreenx xgreenx closed this as completed Oct 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Dentosal Dentosal

Labels
audit-report Issue from the audit report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Dentosal @xgreenx