TOB-FUEL-12: Call receipt created with incorrect gas amount

[xgreenx]

Description

While executing a call, the interpreter forwards the minimum of the context gas, cgas, and the amount of gas the call requests to be forwarded, amount_of_gas_to_forward. This is reflected in the system register’s context gas value but not in the receipt created for the call. The receipt incorrectly uses amount_of_gas_to_forward which will show the call had more gas available to it than in practice if cgas is less than amount_of_gas_to_forward.

Figure 12.1: The receipt creation of the prepare_call function

let forward_gas_amount = cmp::min(
    *self.registers.system_registers.cgas,
    self.params.amount_of_gas_to_forward,
);
// subtract gas
*self.registers.system_registers.cgas =
    arith::sub_word(*self.registers.system_registers.cgas, forward_gas_amount)?;
*frame.context_gas_mut() = *self.registers.system_registers.cgas;
*frame.global_gas_mut() = *self.registers.system_registers.ggas;
[...]
*self.registers.system_registers.cgas = forward_gas_amount;
let receipt = Receipt::call(
    id,
    *frame.to(),
    self.params.amount_of_coins_to_forward,
    *frame.asset_id(),
    self.params.amount_of_gas_to_forward,
    frame.a(),

Exploit Scenario

An alternative Fuel implementation which returns the correct panic code cannot reach consensus or sync with the existing Fuel implementation as the block headers are different.

Recommendations

Short term, use forward_gas_amount for the receipt’s gas field.
Long term, perform additional testing of the gas accounting of call frames and the receipts created by them.

[xgreenx]

Fixed with #503