Assessment reportsPublic findings
Back to Zellic site
Assessment reports>ZetaChain>Medium findings>Median gas-price threshold
GeneralOverview
Findings
Critical (1)
High (2)
Medium (4)TSS funds migration may not be done correctlyZRC-20 mapping is overwritten on new deploymentNo slippage limit set in Uniswap swapMedian gas-price threshold
DiscussionLenient slash behaviourGas stability pool
Threat ModelWhat are threat models?crosschainfungibleobserver
Audit ResultsSummary
Category: Business Logic

Median gas-price threshold

Medium Severity
Medium Impact
Medium Likelihood

Description

The price of gas is determined by taking a median of posted gas prices; however, there is no minimum threshold of posted prices. As a consequence, if there are few prices posted, the price could be manipulated.

// Only observer validators are authorized to broadcast this message.
func (k msgServer) GasPriceVoter(goCtx context.Context, msg *types.MsgGasPriceVoter) (*types.MsgGasPriceVoterResponse, error) {
		...
		// recompute the median gas price
		mi := medianOfArray(gasPrice.Prices)
		// #nosec G701 always positive
		...
}

Impact

An early malicious observer could be the first one to post and could post a completely manipulated price, which would then be considered the median, and they could quickly execute a transaction with said manipulated gas price for their own gain.

Recommendations

Set a minimum threshold of posted prices before setting the gas_price.

Remediation

The ZetaChain team stated that:

We acknowledged the finding as an issue. However, we think the impacted is limited because the observer set is currently permissioned and the exploitation of the issue is limited since the sender of the transaction with the manipulated gas price would still need to pay for the gas on ZetaChain. We decided to not implement a remediation for the time being but we documented the issue in our backlog.

Zellic © 2024Back to top ↑