Gas Griefing
Detects external calls that forward insufficient gas or allow callers to specify gas amounts that cause downstream operations to fail.
Gas Griefing
Overview
The gas griefing detector identifies contracts where external calls can be made to fail by manipulating gas allocation. An attacker can supply just enough gas for the outer function to execute but insufficient gas for a nested external call. If the outer function does not check the call’s success or ignores the out-of-gas revert, the attack causes selective operation failures — for example, making a relay transaction appear to succeed while the inner call silently fails.
Why This Is an Issue
Gas griefing is particularly dangerous in relayer patterns, meta-transactions, and batch operations. A relayer processes a user’s transaction and expects reimbursement, but if the relayer provides just enough gas for the relay logic to complete while the user’s actual transaction fails, the relayer collects fees without delivering service. Similarly, batch operations where one item’s gas limit affects others can be griefed to cause selective failures.
How to Resolve
// Before: Vulnerable — no gas check, ignores inner call result
function relay(address target, bytes calldata data) external {
target.call(data); // May fail due to insufficient gas
relayerRewards[msg.sender] += fee;
}
// After: Fixed — verify inner call success and ensure minimum gas
function relay(address target, bytes calldata data) external {
require(gasleft() >= MIN_GAS_RESERVE + 50000, "Insufficient gas");
(bool success, ) = target.call{gas: gasleft() - MIN_GAS_RESERVE}(data);
require(success, "Inner call failed");
relayerRewards[msg.sender] += fee;
}Detection Methodology
- External call identification: Locates CALL, STATICCALL, and DELEGATECALL instructions.
- Gas forwarding analysis: Checks whether the gas amount forwarded to the call is user-controlled or relies on
gasleft()without a minimum reserve. - Return value check: Flags calls whose boolean return value is not checked.
- Post-call logic: Identifies state changes that occur regardless of the call’s success (e.g., fee collection, counter increments).
Limitations
False positives: Contracts where external call failure is intentionally ignored (e.g., best-effort notifications) are safe but flagged. False negatives: Complex gas computation patterns that ensure sufficient gas through non-obvious logic may not be recognized.
Related Detectors
- Unchecked Call — detects unchecked external call return values
- DoS — detects denial-of-service patterns
- Returnbomb — detects return-data gas attacks