Splidge
commented
3 years ago This whitelist is a temporary measure to be used in the Beta and the run-up to launch, after launch it will be disabled. As such we will not be making changes to a feature that will not be used going forward.
Handle
JMukesh
Vulnerability details
Impact
since no limit is mentioned in batchWhitelist() for the input of _users array , it may run out of gas if array length become large
Proof of Concept
https://github.com/code-423n4/2021-08-realitycards/blob/39d711fdd762c32378abf50dc56ec51a21592917/contracts/RCTreasury.sol#L249
Tools Used
manual review
Recommended Mitigation Steps
add a limitation for which , this number of address can be whitelisted at a time