In the working-group module the apply_on_opening extrinsic does not require a deposit for creating a new role application. Since the working group role applications are stored on-chain, a malicious member could use this extrinsic to exhaust the storage of the blockchain in the case of working group roles that do not require a stake.
Issue
In the working-group module the apply_on_opening has the following issues:
There is no upper limit for the number of applications that a single member can submit for an opening
Calling this extrinsic is cheap since no deposit is required.
Therefore, a malicious actor can create a lot of applications by calling this extrinsic and consequently fill up the blockchain storage.
Risk
This issue would allow an attacker to fill up the blockchain storage by adding arbitrary number of applications. A full storage is problematic because it could lead to an infeasible amount of storage being required to run a blockchain node.
The severity of this issue depends on the amount of stake required to fill the working group role - it is especially problematic in cases where the opening does not require any stake - thus we consider this issue being of moderate severity.
Mitigation
We suggest to require a deposit for creating working group applications, or alternatively, limit the number of applications per opening_id to 1 from each member_id to prevent attackers from filling up the blockchain storage.
Summary
In the
working-groupmodule theapply_on_openingextrinsic does not require a deposit for creating a new role application. Since the working group role applications are stored on-chain, a malicious member could use this extrinsic to exhaust the storage of the blockchain in the case of working group roles that do not require a stake.Issue
In the
working-groupmodule theapply_on_openinghas the following issues:Therefore, a malicious actor can create a lot of applications by calling this extrinsic and consequently fill up the blockchain storage.
Risk
This issue would allow an attacker to fill up the blockchain storage by adding arbitrary number of applications. A full storage is problematic because it could lead to an infeasible amount of storage being required to run a blockchain node.
The severity of this issue depends on the amount of stake required to fill the working group role - it is especially problematic in cases where the opening does not require any stake - thus we consider this issue being of moderate severity.
Mitigation
We suggest to require a deposit for creating working group applications, or alternatively, limit the number of applications per
opening_idto 1 from eachmember_idto prevent attackers from filling up the blockchain storage.