# Attackathon \_ Fuel Network 32860 - \[Blockchain\_DLT - Insight] Resource Abuse CCP instruction is load Submitted on Fri Jul 05 2024 06:27:13 GMT-0400 (Atlantic Standard Time) by @ret2happy for [Attackathon | Fuel Network](https://immunefi.com/bounty/fuel-network-attackathon/) Report ID: #32860 Report type: Blockchain/DLT Report severity: Insight Target: Impacts: * Temporary freezing of network transactions by delaying one block by 3000% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments * Causing network processing nodes to process transactions from the mempool beyond set parameters (e.g. prevents processing transactions from the mempool) * Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours ## Description ## Brief/Intro CCP instruction executes the contract loading operation before charging GAS. The attacker could perform resource-costing operation for contract loading with low GAS. Such undercharge instruction would cause additional burden of the validators, increasing node pressure. ## Vulnerability Details In the `CCP` instruction, it loaded the contract before charing the dependent GAS as `fuel-vm/src/interpreter/blockchain.rs#L792-L820` shows: \[1] ``` let contract = super::contract::contract(self.storage, &contract_id)?; // load contract before charging let contract_bytes = contract.as_ref().as_ref(); let contract_len = contract_bytes.len(); let charge_len = core::cmp::max(contract_len as u64, length); let profiler = ProfileGas { pc: self.pc.as_ref(), is: self.is, current_contract: self.current_contract, profiler: self.profiler, }; dependent_gas_charge_without_base( self.cgas, self.ggas, profiler, self.gas_cost, charge_len, )?; // Owner checks already performed above copy_from_slice_zero_fill( self.memory, self.owner, contract.as_ref().as_ref(), dst_addr, offset as usize, length, )?; ``` If the contract is very large, it would be resources consuming without charing the large dependent GAS. We should firstly get the contract size using the storage API i.e., `contract_size` and charge the dependent GAS before load the contract. ## Impact Details Attacker is allowed to use CCP instruction to load very large contract with very cheap GAS. It would lead to the network stuck or cease the node processing. ## References \[1] ## Proof of concept ## Proof of Concept We could simply debug the CCP instruction using a test program: ``` #[test] fn code_copy_b_gt_vm_max_ram() { let reg_a = 0x20; // test overflow add let code_copy = vec![ op::slli(reg_a, RegId::ONE, MAX_MEM_SHL), op::subi(reg_a, reg_a, 31), op::ccp(RegId::ZERO, reg_a, RegId::ZERO, RegId::ZERO), ]; check_expected_reason_for_instructions(code_copy, MemoryOverflow); } ``` We could check whether the GAS is charged after the contract is loaded in the vulnerability details \[1]. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32860-blockchain_dlt-insight-resource-abuse-ccp-instruction-is-loading-th.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.