Gas measures the computational and storage cost of executing a transaction on Ethereum or another EVM chain. Each operation has a fixed gas cost; the sender pays a gas price (in gwei) per unit of gas consumed.
For security, gas matters in two ways:
- Gas griefing: an attacker forces the protocol or a user to consume gas in pathological ways, by reverting in fallback functions, by inflating loop iterations, or by passing extreme
gasleft()values. - Out-of-gas DoS: a function that loops over an unbounded array can exceed the block gas limit and become permanently uncallable.
Best practice is to never iterate over user-supplied or unbounded arrays, to bound any loop in a function whose gas cost a user pays, and to avoid making refund logic depend on gas-stipend assumptions that change between forks (the 2300-gas stipend behavior changed across hard forks and broke contracts).