Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite loop if there are too many members to add #201

Closed
cedoor opened this issue Dec 19, 2022 · 0 comments · Fixed by #205
Closed

Infinite loop if there are too many members to add #201

cedoor opened this issue Dec 19, 2022 · 0 comments · Fixed by #205
Assignees
@cedoor
Labels
bug 🐛 Something isn't working
Milestone
Semaphore Protoco...

Comments

@cedoor
Copy link
Member

cedoor commented Dec 19, 2022

Describe the bug

The Semaphore contract allows the admin to add group members in a batch by calling addMembers (presumably for gas efficiency). When this function is called, a for loop iterates over all identityCommitments upon which _addMember is called. This for loop, however, uses a uint8 as the iterator and makes the iterator increment unchecked. As a result, if the input array’s size is larger than 255 (the maximum value of a uint8) then the iterator’s value will overflow causing the loop to restart at 0 resulting in an infinite loop.

Impact

If an admin adds more than 255 members, the infinite loop will consume all of the transaction’s gas and then revert. This therefore can waste a user’s funds.

Additional context

This bug was found by Veridise during their audit of Semaphore. If you acknowledge and fix this bug, can you please mention Veridise in the commit.
@cedoor cedoor added the bug 🐛 Something isn't working label Dec 19, 2022
@cedoor cedoor added this to the Semaphore Protocol v3 milestone Dec 19, 2022
@cedoor cedoor self-assigned this Dec 19, 2022
cedoor added a commit that referenced this issue Dec 19, 2022
@cedoor
fix(contracts): increase size of members iterator variable
1c5ccb8 
This bug was found by Veridise during their audit of Semaphore.

fix #201
@cedoor cedoor mentioned this issue Dec 19, 2022
Merged
2 tasks
@cedoor cedoor linked a pull request Dec 19, 2022 that will close this issue
Increase size of iterator variable #205
Merged
2 tasks
@cedoor cedoor closed this as completed Dec 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cedoor cedoor

Labels
bug 🐛 Something isn't working
Projects
Semaphore Board
Status: ✔️ Done
Milestone
Semaphore Protocol v3
Development

Successfully merging a pull request may close this issue.

Increase size of iterator variable semaphore-protocol/semaphore
1 participant
@cedoor