Did you know, when you execute a sub-call, that 63/64 of the original provided gas is used for this sub-call? This is to ensure that 1/64 is left to finish the original function execution. This logic was implemented upon EIP 150 and intends to prevent the “Call-Depth-Attack”.
However, that is not part of this tweet, I want to show a vulnerability which can arise due to this logic:
However, that is not part of this tweet, I want to show a vulnerability which can arise due to this logic:
In our example, we can call Main.callGuardian with such a gas value that the sub-call, which uses 63/64 gas runs out of gas and the state variable manipulation of “called” still has sufficient gas (1/64) to succeed. Depending on the gas consumed within Guardian.doSomething, this will work.
