In the working-group module the add_opening does not require a deposit for adding a new opening (only callable by the working group lead). Since the working group openings are stored on-chain, a malicious working group lead could use this extrinsic to exhaust the storage of the blockchain.
Issue
In the working-group module the add_opening has the following issues:
There is no upper limit for the number of openings that can be added
Calling this extrinsic is cheap since no deposit is required.
Therefore, a malicious working group lead could create a lot of new job openings by calling this extrinsic and consequently fill up the blockchain storage.
Risk
This issue would allow a malicious working group lead to fill up the blockchain storage by adding arbitrary number of job openings. A full storage is problematic because it could lead to an infeasible amount of storage being required to run a blockchain node.
Since only working group leads can call this extrinsic who should be trusted actors with high stake in the system, we consider this issue being of low severity.
Mitigation
We suggest to require a deposit for adding a job opening or alternatively, limit the number of open positions (for example to MaxWorkerNumberLimit + 10) to prevent attackers from filling up the blockchain storage.
Summary
In the
working-groupmodule theadd_openingdoes not require a deposit for adding a new opening (only callable by the working group lead). Since the working group openings are stored on-chain, a malicious working group lead could use this extrinsic to exhaust the storage of the blockchain.Issue
In the
working-groupmodule theadd_openinghas the following issues:Therefore, a malicious working group lead could create a lot of new job openings by calling this extrinsic and consequently fill up the blockchain storage.
Risk
This issue would allow a malicious working group lead to fill up the blockchain storage by adding arbitrary number of job openings. A full storage is problematic because it could lead to an infeasible amount of storage being required to run a blockchain node.
Since only working group leads can call this extrinsic who should be trusted actors with high stake in the system, we consider this issue being of low severity.
Mitigation
We suggest to require a deposit for adding a job opening or alternatively, limit the number of open positions (for example to
MaxWorkerNumberLimit + 10) to prevent attackers from filling up the blockchain storage.