LZ_security - Due to missing checks on minimum gas and fee passed through LayerZero, executions can fail on the destination chain

[sherlock-admin2]

LZ_security

Medium

Due to missing checks on minimum gas and fee passed through LayerZero, executions can fail on the destination chain

Summary

Due to missing checks on the minimum gas and fee passed through LayerZero, executions can fail on the destination chain. An attacker can exploit this vulnerability to attack the system.

Root Cause

In LayerZero, the destination chain’s function call requires a specific gas amount; otherwise, it will revert with an out-of-gas exception. It falls under the responsibility of the oApp to ensure that appropriate limits are established.

The logic of the Deposit() operation assumes that the user will first call oapp_quote() to obtain an estimated native_fee price, and then pass this parameter into the Deposit() function.

https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/vault_instr/deposit.rs#L141

pub fn apply(
        ctx: &mut Context<'_, '_, '_, 'info, Deposit<'info>>,
        deposit_params: &DepositParams,
        oapp_params: &OAppSendParams,
    ) -> Result<MessagingReceipt> {
       //-----skip

@>>        let options = EnforcedOptions::get_enforced_options(&ctx.accounts.enforced_options, &None);

        let endpoint_send_params = EndpointSendParams {
            dst_eid: ctx.accounts.vault_authority.dst_eid,
            receiver: ctx.accounts.peer.address,
            message: lz_message,
            options: options,
@>>            native_fee: oapp_params.native_fee,
            lz_token_fee: oapp_params.lz_token_fee,
        };

        let receipt = oapp::endpoint_cpi::send(
            ctx.accounts.oapp_config.endpoint_program,
            ctx.accounts.oapp_config.key(),
            ctx.remaining_accounts,
            seeds,
            endpoint_send_params,
        )?;

        emit!(OAppSent {
            guid: receipt.guid,
            dst_eid: ctx.accounts.vault_authority.dst_eid,
        });

        Ok(receipt)
    }
}

From the code, it can be seen that the function does not check the gas limit and gas fee. As a result, an attacker can exploit this by deliberately passing in a very small gas limit and gas fee, causing the message to fail execution on the EVM side due to “out of gas.”

The attacker can also pass in a very small or even zero token_amount, making the attack nearly cost-free.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

The attacker can exploit execution failures on the EVM side to block the system, causing a Denial of Service (DoS) attack.

PoC

No response

Mitigation

In the Deposit function, execute oapp_quote() internally, and use the obtained parameters for the cpi::send() call.