Gas Griefing Explained in Detail
Gas griefing happens when an attacker can make a transaction fail or become impractical by controlling gas costs. The attacker may use an expensive callback, a growing loop, a failing receiver, or a call made with too little gas.
The result is often denial of service rather than direct theft.
Smart contract example
A payout loop can become impossible to execute:
for (uint256 i = 0; i < recipients.length; i++) {
(bool ok,) = recipients[i].call{value: amount}("");
require(ok, "payout failed");
}
If the list grows too large or one receiver consumes gas or reverts, the payout path can fail for everyone.
Gas Griefing in Auditing
Gas griefing affects withdrawals, payouts, bridges, auctions, liquidations, and governance execution. It often appears around external calls, unchecked failures, and unbounded loops.
Red flags in code
-
Unbounded loops over user-controlled arrays.
-
Push-based payouts to many users.
-
Low-level calls with fixed gas stipends.
-
Failure of one receiver blocks all receivers.
-
Expensive callbacks inside critical settlement paths.
-
Cleanup logic must finish before users can withdraw.
How to test or review it
-
Test worst-case list sizes and expensive receiver contracts.
-
Check whether users can withdraw individually instead of relying on batch payouts.
-
Verify failed receivers cannot block unrelated users.
-
Review low-level call return values and gas forwarding.
-
Treat gas griefing as a denial of service risk when liveness matters.