Unbounded assets[]
array length could cause DoS
#407
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-377
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/GovNFT.sol#L300-L305
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/GovNFT.sol#L50-L53
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/GovNFT.sol#L64-L67
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/GovNFT.sol#L76-L78
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/GovNFT.sol#L89-L95
Vulnerability details
Impact
It's possible to render the GovNFT.sol contract inoperable due to DoS. All the
mint()/_bridgeMint()/_burn()/_transfer()
could fail to function.Proof of Concept
There is no upper limit for the
assets[]
array, and there is no way to decrease the length of the array. If the length of it grow too large, it is possible that in the loop when iterating all the elements, the gas required exceeds the block gas limit and cause DoS.There is no limit on the size on the array when add new asset into it. But no way to remove items.
In
mint()/_bridgeMint()/_burn()/_transfer()
, the entireassets[]
array will be iterated. So if the size become too large after a long time, the contract could be inoperable.Tools Used
Manual analysis.
Recommended Mitigation Steps
Set a maximum length for
assets[]
array.The text was updated successfully, but these errors were encountered: