Open code423n4 opened 2 years ago
The getters weren't designed to be called in any transactions, but agreed, if an external contract will use it, it might fail. Right now we have only 10 validators who are whitelisted. In the upgraded version, there will be no whitelist and anyone would be able to become a validator. The current list is small enough, and we will handle the getters in the next contract version.
Agree with the finding, the function can fail given certain conditions
Am ok with a nofix
Handle
cmichel
Vulnerability details
The
getValidatorsDetails
function iterates over allvalidatorsN
elements.Impact
The transactions can fail if used by another smart contract on-chain. This happens in case the number of validators gets too large and the transaction would consume more gas than the block limit. It will also cost a lot of gas as the entire validator set is always fetched.
Recommended Mitigation Steps
Consider pagination for the view functions by adding
startIndex, count
parameters that read the array from indexstartIndex
and read onlycount
many elements.