Loops Consuming Excessive Gas

Loops Consuming Excessive Gas

What is Gas in Smart Contracts?

Gas is a measurable unit that is used to measure the computational power in Ethereum smart contracts. It refers to the cost necessary to perform a transaction on the network.

Whenever a user interacts with a smart contract or performs a transaction, miners need to process this input in the Ethereum Virtual Machine (EVM).

This is done to generate accurate outcomes like performing a function, returning the correct information, and sending the ETH to a verified address. To do this effectively, these miners use their computational power; the more complex the transaction is, the more power it needs to work on it. This means more use of gas.

What is the difference between Ether and Gas?

Ether and Gas are both different. Ether is the currency, while Gas refers to the fee required to conduct a transaction on Ethereum successfully. Gas fees are paid in Ether.

Understanding Gas Limit in Smart Contracts?

Gas limit means the maximum limit of gas a contract needs to perform a function. For instance, while sending some Ether from A to B, the set limit for gas is 21000, with an assumption that no more data is there in the following transaction. 21000 is the maximum gas on Ethereum that can be used for a transaction. In cases the Ether is unused, it will be transferred back to the user’s account if the transaction was complete within the set limit. Remember, complex transactions will use more gas.

Following are some examples of complex transactions:

1. Publishing a smart contract
2. Sending Ether to another address
3. Calling a function on a smart contract
4. Sending Ether to another address with additional metadata

The formula to calculate the gas limit is shown below as per the Ethereum Yellow Paper.

Loops in Solidity

Solidity, just like other programming languages, supports the concept of loops. Loops are used to execute a piece of code a certain number of times until a terminating condition is reached.

But, unlike other languages, Solidity uses Gas to fuel each transaction on the Ethereum network. Each piece of code costs the user some gas to execute their transaction.

This can prove troublesome if the loops are infinite, as this will cause the transactions to execute till the point the user runs out of Gas, and then the function would fail, producing improper and erroneous results.

Security Threats!

A peculiar case of excessive gas abuse can be seen in scenarios where there’s a user-controlled parameter that is directly used inside loops without any validation on the number of times for which the loop runs.

As we can see in the below vulnerable code, the function “participate” can be controlled by external users to push their addresses inside the “participants” array. This is then used inside the “withdraw” function to execute the withdrawals for all the participants.

If we want to attack this particular scenario, then we can make multiple calls to the “participate” function to fill up the array with spam addresses.

When this array of addresses is used inside the “withdraw” function, the calls will eventually fail when the transaction runs out of gas due to the excessive size of the “participants” array.

pragma solidity 0.8.8;

contract loopDos {

address[] private participants;

function participate(address participant) external {

   require(msg.sender == participant);

   participants.push(participant);

}

function withdraw() external {

   for(uint i; i < participants.length; i++) {

    require(payable(participants[i]).send(participants[i].balance));

   }
 }
}

Best Practices to Prevent Loop Consuming Excessive Gas

Here is a list of ways that can help loop from consuming excessive gas:

1. User-controlled parameters in a loop: The functions should validate that the users can’t control the variable length used inside the loop to traverse a large amount of data. If it can’t be omitted, then there should be a limit on the length as per the code logic.
2. Gas efficiency in loops: Whenever loops are used in Solidity, the developers should pay special attention to the actions happening inside the loop to make sure that the transaction does not consume excessive gas and does not go over the gas limit.

To minimize the damage caused by such failures inside the loops, it is better to isolate each external call into its own transaction that can be initiated by the recipient of the call.

Conclusion

Our cloud-based smart contract security scanner SolidityScan can automatically find vulnerabilities related to unchecked loops.

Ethereum is an ecosystem fueled by Gas. This puts a great emphasis on gas cost optimization wherever necessary in smart contracts.

Loops without any input validation on their execution lengths can introduce inconsistencies in the contract state, leading to security vulnerabilities.

Signup for a free trial at https://solidityscan.com/signup