Missing chain consistency check between gas oracle and RPC in gateway builder causes fee overpayment or publish failures #1872
Description
Severity: Low | Likelihood: Low | Impact: Medium | Type: Vulnerability
Details
The gateway builds a gas oracle from the app-chain WSS URL and a transaction RPC client from the app-chain RPC URL without verifying they point to the same chain, leading to gas mispricing on the target chain and resulting in either unnecessary fee spend or failed publishing.
In the gateway builder's setupBlockchainPublisher, the transaction client is created from contracts.app-chain.rpc-url while the gas oracle is created from contracts.app-chain.wss-url. The oracle detects chain and pricing mode from the WSS endpoint (e.g., Arbitrum precompile vs. default eth_gasPrice) and supplies gas prices used to construct legacy transactions that are sent via the RPC client. There is no chain ID consistency check between the WSS and RPC endpoints and the gateway path does not invoke available validators that would catch mismatches.
Exploitation
Scenario 1
Overpaying gas: WSS points to Ethereum mainnet while RPC points to Arbitrum; the oracle returns mainnet-level gas prices which are used to post transactions on Arbitrum, causing significant fee overpayment per transaction.
Preconditions / Assumptions:
- (a) Operator configures contracts.app-chain.wss-url to an Ethereum mainnet endpoint
- (b) Operator configures contracts.app-chain.rpc-url to an Arbitrum endpoint
- (c) contracts.app-chain.chain-id matches the RPC chain
- (d) Gateway builder does not validate WSS/RPC chain consistency
Scenario 2
Local DoS for chain publishing: WSS points to Arbitrum while RPC points to Ethereum mainnet; the oracle returns low L2-like gas prices that are below mainnet base fees, so SendTransaction fails immediately and chain-published messages consistently fail.
Preconditions / Assumptions:
- (a) Operator configures contracts.app-chain.wss-url to an Arbitrum endpoint
- (b) Operator configures contracts.app-chain.rpc-url to an Ethereum mainnet endpoint
- (c) contracts.app-chain.chain-id matches the RPC chain
- (d) Gateway builder does not validate WSS/RPC chain consistency
Scenario 3
No-op fee spend: Contracts configured for a different environment than the RPC chain; transactions are sent to addresses without code, consuming gas but producing no logs and failing the publish after receipt parsing.
Preconditions / Assumptions:
- (a) Operator configures contract addresses for an environment different from the RPC chain
- (b) contracts.app-chain.chain-id matches the RPC chain
- (c) Gateway builder does not validate that contracts are deployed on the RPC chain
Files impacted
pkg/gateway/builder.go
Lines 435-438 (oracle created from WSS without chain ID check):
return nil, err
}
oracle, err := oracle.New(ctx, logger, cfg.Contracts.AppChain.WssURL)