Users might be unable to claim receipt because of unbounded loop #578
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-552
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L117
Vulnerability details
Impact
When users claim from any Quest contract, it will call to function
getOwnedTokenIdsOfQuest()
of RabbitHoleReceipt contract to get all token ids for that quest owned by caller. FunctiongetOwnedTokenIdsOfQuest()
will loop through all receipt owned by caller and filter token for that questFor each quest, normally each user can only mint 1 receipt, therefore only have 1 token per quest, but users can purchase more receipt in open market and have more than 2 tokens per quest. In addition, RabbitHoleReceipt contract hold receipts for all quests.
So if attacker somehow can create a quest where value of each receipt is neglectible or zero, he can transferred all these spam receipts to victim, making the claim call of victim more expensive in term of gas cost. Technically, it is even possible to DOS victim claim when the gas cost is break the block gas limit.
Proof of Concept
Function
getOwnedTokenIdsOfQuest()
is used inQuest.claim()
functionTools Used
Manual Review
Recommended Mitigation Steps
Consider using a data structure that can query all token for a quest quickly. For example, a mapping of owner to questId to array.
The text was updated successfully, but these errors were encountered: