SCWE-073: Message Call with Hardcoded Gas Amount
Stable Version v1.0
This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Relationships¶
- CWE-400: Uncontrolled Resource Consumption
https://cwe.mitre.org/data/definitions/400.html
Description¶
In Solidity, calling external contracts with a hardcoded gas value can lead to various issues, such as running out of gas or allowing a malicious contract to manipulate gas consumption. Hardcoding the gas amount is inflexible and may lead to resource exhaustion or cause the transaction to fail when the gas limit is insufficient for the operation.
Remediation¶
Instead of hardcoding gas values, it is better to allow the gas to be automatically determined or adjust the gas dynamically depending on the needs of the transaction. This ensures that the transaction can complete successfully while avoiding unnecessary resource consumption.
Vulnerable Contract Example¶
contract Example {
address public target;
function callTarget() public {
// Hardcoding the gas value for the message call
target.call{gas: 100000}(""); // Vulnerable to resource consumption issues
}
}