F-2023-0003·gas-accounting

Risk of Incorrect Interface Reporting Due to Insufficient Gas

Acknowledgednfterc-1155openseapolygonscan.com/address/0x2953399124f0cbb46d2cbacd8a89cf0599974963
TL;DR

supportsInterface can throw out of gas under EIP-150 even when adequate gas was supplied, causing the function to incorrectly report a contract does not support an interface it actually implements.

Severity
HIGH
Impact
MEDIUM
Likelihood
HIGH
Method
MManual review
CAT.
Complexity
LOW
Exploitability
HIGH
02Section · Description

Description

The supportsInterface function implemented in ERC1155 contract is exposed to potential risks due to its reliance on the amount of gas supplied to it, without incorporating proper checks and safeguards against insufficient gas errors as per the EIP-165 specification. According to the EIP-165 specification, supportsInterface is allowed to consume up to 30,000 gas.

However, due to the intricacies of Ethereum's gas mechanism (specifically EIP-150), the gas sent to the function can be less than expected, causing the function to throw an "out of gas" error even when there's technically adequate gas for the function to execute correctly.

This situation may lead to inaccurate results from the supportsInterface function, causing it to incorrectly signal that a contract does not support a certain interface when, in reality, it does.

03Section · Impact

Impact

  • Incorrect Interface Reporting: The function might inaccurately report that a contract does not support a certain interface due to out-of-gas errors, even if the contract implements the interface. This can lead to improper interaction with the contract, as relying functions or contracts may misinterpret the supported interfaces.
  • Transaction Failure: Transactions may fail due to the function throwing out-of-gas errors, leading to disrupted operations and user dissatisfaction.

This issue has been discussed under ERC-165 Standard Interface Detection. A PoC has been provided with contracts and tests at ethereum_gas/testERC165.js.

04Section · Recommendation

Recommendation

Gas Checking Before Call: Implement a mechanism that checks the gasleft() before making the call and ensures it is sufficient according to the requirements. For example:

solidity
uint256 gasAvailable = gasleft();
require(
    gasAvailable - gasAvailable / 64 >= 30000,
    "Not enough gas provided"
);

This method may require accurate computation of the gas required between gasleft() and the CALL operation.

Gas Checking After Call: Check gasleft() after the call to ensure there is sufficient gas remaining. For instance:

solidity
// Execute STATIC_CALL with 30,000 gas
require(gasleft() > 30000 / 63, "Not enough gas left");

This approach works if the call throws due to insufficient gas. However, it demands careful coding of supportsInterface to avoid interference with the gasleft() check.

ZEALYNX SECURITY · published 2023-10-06
F-2023-0003

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx