To remediate the consumption and scale solutions, consider changing LibBasketStorage.basketStorage().inPool and LibCallStorage.callStorage().canCall into a mapping to uint - id, starting with 1 to differentiate from unmapped addresses. This way, deletion and addition of tokens can be achieved in constant time fully on-chain.
bool inPool or bool canCall can be retrieved by checking id != 0.
Handle
Czar102
Vulnerability details
Impact
Iterating through a storage list consumes large amounts of gas.
Proof of Concept
This is relevant to:
CallFacet::removeCaller(...)
BasketFacet::removeToken(...)
Recommended Mitigation Steps
To remediate the consumption and scale solutions, consider changing
LibBasketStorage.basketStorage().inPool
andLibCallStorage.callStorage().canCall
into a mapping touint
- id, starting with 1 to differentiate from unmapped addresses. This way, deletion and addition of tokens can be achieved in constant time fully on-chain.bool inPool
orbool canCall
can be retrieved by checkingid != 0
.