The catch in `try/catch`.
Table of contents
Background
Yesterday was the last of the Farcaster competition on Cantina, others submissions were instantly live which is great because I get an instant feedback loop. I also got my guts twisted with a particular finding I’m documenting here.
Let me try to snip the relevant code from memory as an exercise:
function foo(/* inputs */) public {
try Verifier.verify(/* inputs */) returns (bool isVerified) {
if (!isVerified) {
revert();
}
} catch {
@> // Empty catch block! Hmm...
}
// If verification succeeds, funds are sent from `address(this)` to `msg.sender`.
}
My thought process here was:
Oh, an empty
catchblock… This smells like it could introduce a bug since it’s not handling any unexpected errors. If I can trigger an error inVerifier.verify()function, The emptycatchblock will suppress the error and the logic to send funds will be executed next, sending funds to me!How to trigger the error?
Maybe I can submit malformed inputs to
Verifier.verify()to trigger an error.
Honestly I was thinking I’m a genius at this point lol, until I noticed the blocker: The hash of inputs was checked to exist against some data structure before calling Verifier.verify():
function foo(/* inputs */) public {
@> require(hashes[hash(/* inputs */)] != 0);
try Verifier.verify(/* inputs */) returns (bool isVerified) {
if (!isVerified) {
revert();
}
} catch {}
// If verification succeeds, funds are sent from `address(this)` to `msg.sender`.
}
This means submitting malformed inputs was off table. I stopped here because I couldn’t figure another way to trigger the catch block, but here’s the “catch”: Haxatron, m4rio et al. already triggered the catch block by using the 63/64 rule of EIP-150 (mofo said it was a no brainer):
The tl;dr of 63/64 rule is that if a contract calls another contract, only 63/64 of the gas is forwarded and 1/64 is retained by the caller contarct. To put this into context, another detail from our snipped code is that Verifier.verify() was a gas intensive onchain verification:
function foo(/* inputs */) public {
require(hashes[hash(/* inputs */)] != 0);
@> // Gas intensive verification!
@> try Verifier.verify(/* inputs */) returns (bool isVerified) {
if (!isVerified) {
revert();
}
} catch {}
// If verification succeeds, funds are sent from `address(this)` to `msg.sender`.
}
So:
- We got an external call to
Verifier.verify(). Verifier.verifier()is gas intensive, what if it consumes all its 63/64 forwarded gas?- 1/64 gas is left for remaining logic inside
foo()to resume execution…
Gas analysis:
Two questions:
- How much gas
foo()initially has? a followup is how much exactly is forwarded toVerifier.verify()? - How much
Verifier.verify()will actually consume?
The second question is interesting because the test case for verification was passing, is there a “range” of gas to be consumed that the attacker has the luxury of targeting a value from? Let’s answer both questions:
- Block gas limit is ~30M gas which is a cumulative limit for all txs in a block. Individual txs can use up to the block gas limit if they’re the only tx in the block so theoratically, the initial gas for
foo()is 30M gas. With 63/64 rule,Verifier.verify()would receive up to 63/64 * 30M andfoo()retains 1/64 * 30M gas. In case there are other txs in the block, the gas limit forfoo()would be less, you get the idea. - How much gas
verify()will actually consume depends on how much gas is forwarded to it, as a user can specify the gas limit for a given call. Whatever that gas limit is,Verifier.verify()will consume 63/64 of it. Another point to consider is ifverify()have branches, we should consider the worst case scenario for gas consumption and if the forwarded gas is sufficient to cover it.
The attack
I’ll quote rholterhus report as I enjoy it the most:
TODO.
How could I have found the issue
- Focus.
- Ask more questions, more WHAT IFs. Use Perplexity and equivalents.
- I had a gut feeling there was a bug there, trust gut feeling more.
Action items
- Mourn
- Read every submission of the issue.
- Read EIP-150.
- Read RareSkills article on
try/catchblocks.