Welcome back to Sherlock’s Vulnerability Spotlight, where we highlight an impactful vulnerability uncovered during a Sherlock audit.
This week, we examine a denial-of-service found in the @GMX_IO contest by @0xdeadbeef____ and @IllIllI000.
Credit to @int0x1catedCode for the breakdown.
Summary of the Vulnerability:
The vulnerability allows an attacker to manipulate order execution flow by providing fake revert reason lengths that don't match the actual data. This causes the protocol's error handling to read incorrect memory regions, potentially disrupting the execution process or causing unexpected behavior when processing failed orders.
Attack Steps:
1. Setup Phase
Deploy a malicious contract that implements custom revert behavior
The malicious contract should be invokable by the target protocol (e.g., as callback handler).
2. Craft Malicious Revert Data
Structure revert data with a falsified length parameter.
3. Execute Order Through Protocol
Create an order that will trigger interaction with the malicious contract
When the protocol processes the order and calls the malicious contract, it reverts with the crafted data.
The protocol's error handling attempts to decode the revert reason using the fake length.
4. Trigger Memory Read Overflow
The protocol reads memory based on the fake length parameter
This causes it to read beyond the actual revert data boundaries.
What's the Impact?
Denial of Service: Orders can fail to execute properly, blocking legitimate protocol operations like liquidation of bad positions
Order execution disruption: Batch order processing can be halted, affecting multiple users
Gas griefing: Processing malformed revert data can consume excessive gas
The Root Cause:
1. Unchecked length parameters: The protocol trusts the length value provided in revert data without validation
2. Missing boundary checks: No verification that the claimed length matches the actual data size
The Mitigation:
1. Always validate Revert Data Length
2. Implement Maximum Length Limits
We are proud to have helped secure @GMX_IO through this discovery.
When it absolutely needs to be secure, Sherlock is the right choice.
1.25K
7
The content on this page is provided by third parties. Unless otherwise stated, OKX is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.