Target
Bug Description
The distributeRewards() which pays out rewards sends them via
(bool result, ) = wallet.call{value: toDistribute, gas: 10000}("");
Althought it is assumed the wallet receives 10,000 gas for use, in fact it receives 12,300, because in BSC calls with value passed are given 2300 free gas.
Impact
This has two impacts:
increased gas cost for distributeRewards function per distribution (amounts to large amount of gas saved).
greater risk of re-entrancy attack as user has larger gas bank to work with.
Risk Breakdown
Difficulty to Exploit: Easy
Recommendation
Pass gas amount = 7700 to account for 2300 free gas units.
References
Example list of transactions: https://bscscan.com/tx/0x53a147396c24dbbb5744fdc6e57aa4e435abc289dbaf68587e30346d89e0a564#internal callStipend free gas parameter on BSC: https://github.com/bnb-chain/bsc/blob/f68965a615fdc8deaeb41e6b18fce2a7c60c2419/params/protocol_params.go
Ankr said it is fine for them to spend 12,300 gas for each call. Note that the low gas is Ankr's defense against re-entrancy in this contract. The smallest approve() contract shellcode would cost around 15K so it is probably not exploitable even with 12,300. But still there is a lot of gas savings to be had to fix this issue.
Comments