search
Active Boosts

#42930 [BC-High] Users are unable to increase their gas resulting in stuck funds

Submitted on Mar 29th 2025 at 14:32:03 UTC by @okmxuse for Attackathon | Movement Labsarrow-up-right

  • Report ID: #42930

  • Report Type: Blockchain/DLT

  • Report severity: High

  • Target: https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/execution/maptos/opt-executor

  • Impacts:

    • Permanent freezing of funds (fix requires hardfork)

    • Direct loss of funds

    • A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk

hashtag
Description

hashtag
Description

The Aptos mempool, like other networks, allows users to increase the gas price of a previously submitted transaction.

For this to happen, the newly submitted transaction must have the same sequence number as the original transaction the user intends to speed up. This requirement is enforced in:

transaction_store.rs::insert

if let Some(txns) = self.transactions.get_mut(&address) {
    if let Some(current_version) = txns.get_mut(&txn_seq_num) {
        // ..code

If these conditions are met, the user's transaction with the increased gas price is accepted:

Despite this intended behavior, a conflicting check in transaction_pipe.rs::has_invalid_sequence_number will always prevent gas-increase transactions from succeeding:

This check will never allow the same sequence number to be submitted.

Note that this check is different than the one made in mempool.rs::add_txn and this is not the reason why the transactions fails.

We will further prove all this in the POC.

hashtag
Impact

This issue inevitably results in a user's funds becoming stuck. At worst, it can cause a user to have a direct loss of funds since the transaction might become stuck permanently since a user is never able to speed it up.

hashtag
Recommendation

We would recommend mitigating this issue properly.

hashtag
Proof of Concept

hashtag
Proof of Concept

  1. Add the following test function** inside transaction_pipe.rs:

  1. Run the test:

  2. Logs

To confirm that the issue is not related to the mempool.rs::add_txn check, modify transaction_pipe.rs::has_invalid_sequence_number by removing the root issue check:

  1. Re-run the test:

  2. Failure Logs:

Since the test now fails with Accepted instead of InvalidSeqNumber, it confirms that the original rejection was due to the has_invalid_sequence_number check and not the one from mempool.rs::add_txn:

Previous#42925 [BC-Insight] Transactions won't be included on Celestia when the gas price is high, and the transactions on Movement will be forgottenNext#42928 [BC-Medium] Depositing gas fees into the governed gas pool does not work when the CoinStore is frozen

Was this helpful?