Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing overflow check for AccessList cost addition in IntrinsicGas function #30880

Open
Kourin1996 opened this issue Dec 9, 2024 · 2 comments

Comments

@Kourin1996
Copy link

Geth version: 1.14.13-unstable
Commit hash : master branch (08e6bdb550712503873fb2a138b30132cc36c481)

IntrinsicGas in core/state_transition.go calculates intrinsic gas for a given transaction. Cost calculation of data field take care of overflow while the calculation for Access List doesn't. (Please see code below)

if isContractCreation && isEIP3860 {
lenWords := toWordSize(dataLen)
if (math.MaxUint64-gas)/params.InitCodeWordGas < lenWords {
return 0, ErrGasUintOverflow
}
gas += lenWords * params.InitCodeWordGas
}
}
if accessList != nil {
gas += uint64(len(accessList)) * params.TxAccessListAddressGas
gas += uint64(accessList.StorageKeys()) * params.TxAccessListStorageKeyGas
}

In general, a transaction causing overflow at this point might be blocked by another check (e.g. TxPool slot limit). But evm transaction command which validates a transaction offline might return wrong result by this problem.

Ideally, IntrinsicGas should check overflow in calculation for AccessList cost like this:

if accessList != nil {
	numItems := uint64(len(accessList))
	if (math.MaxUint64-gas)/params.TxAccessListAddressGas < numItems {
		return 0, ErrGasUintOverflow
	}
	gas += numItems * params.TxAccessListAddressGas

	numStorageKeys := uint64(accessList.StorageKeys())
	if (math.MaxUint64-gas)/params.TxAccessListStorageKeyGas < numStorageKeys {
		return 0, ErrGasUintOverflow
	}
	gas += numStorageKeys * params.TxAccessListStorageKeyGas
}
@holiman
Copy link
Contributor

holiman commented Dec 9, 2024

Well.. for that to overflow, the length of the accesslist would have to be somewhere on the order of 7e15?

>>> 0xffffffffffffffff // 2400
7686143364045646

Might be that the preceding calculation on data is overly paranoid: I don't see a reason to make the accessList implementation go to the same lengths.

?

@rjl493456442
Copy link
Member

Yeah, but to be fair, the TxDataZeroGas overflow checking is also theoretical needed but in practice unnecessary.

I would lean to align the behaviors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants