fix: set an upper bound to gasWanted to prevent DoS attack (evmos#991)

Closes: evmos#989

Co-authored-by: Federico Kunze Küllmer <31522760+fedekunze@users.noreply.github.com>

CHANGELOG.md

@@ -41,6 +41,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 - (rpc) [tharsis#979](https://github.com/tharsis/ethermint/pull/979) Add configurable timeouts to http server
 - (rpc) [tharsis#988](https://github.com/tharsis/ethermint/pull/988) json-rpc server always use local rpc client
+* (ante) [tharsis#991](https://github.com/tharsis/ethermint/pull/991) Set an upper bound to gasWanted to prevent DoS attack.
 
 ### Bug Fixes
 

app/ante/eth.go

@@ -17,6 +17,8 @@ import (
 	ethtypes "github.com/ethereum/go-ethereum/core/types"
 )
 
+const MaxTxGasWanted uint64 = 500000
+
 // EthSigVerificationDecorator validates an ethereum signatures
 type EthSigVerificationDecorator struct {
 	evmKeeper EVMKeeper
@@ -171,7 +173,6 @@ func (egcd EthGasConsumeDecorator) AnteHandle(ctx sdk.Context, tx sdk.Tx, simula
 	london := ethCfg.IsLondon(blockHeight)
 	evmDenom := params.EvmDenom
 	gasWanted := uint64(0)
-
 	var events sdk.Events
 
 	for _, msg := range tx.GetMsgs() {
@@ -184,7 +185,17 @@ func (egcd EthGasConsumeDecorator) AnteHandle(ctx sdk.Context, tx sdk.Tx, simula
 		if err != nil {
 			return ctx, sdkerrors.Wrap(err, "failed to unpack tx data")
 		}
-		gasWanted += txData.GetGas()
+
+		if ctx.IsCheckTx() {
+			// We can't trust the tx gas limit, because we'll refund the unused gas.
+			if txData.GetGas() > MaxTxGasWanted {
+				gasWanted += MaxTxGasWanted
+			} else {
+				gasWanted += txData.GetGas()
+			}
+		} else {
+			gasWanted += txData.GetGas()
+		}
 
 		fees, err := egcd.evmKeeper.DeductTxCostsFromUserBalance(
 			ctx,

app/ante/eth_test.go

@@ -268,7 +268,7 @@ func (suite AnteTestSuite) TestEthGasConsumeDecorator() {
 		{
 			"success",
 			tx2,
-			tx2GasLimit,
+			ante.MaxTxGasWanted, // it's capped
 			func() {
 				vmdb.AddBalance(addr, big.NewInt(1000000))