DoS with block gas limit in `squeezeDrips`

[code423n4]

Lines of code

https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/Drips.sol#L450

Vulnerability details

Squeezing drips requires verifying the entire history of that drip. This means iterating over an unbounded loop of the size of the history

for (uint256 i = 0; i < dripsHistory.length; i++) {
    DripsHistory memory drips = dripsHistory[i];
    bytes32 dripsHash = drips.dripsHash;
    if (drips.receivers.length != 0) {
        require(dripsHash == 0, "Drips history entry with hash and receivers");
        dripsHash = _hashDrips(drips.receivers);
    }
    historyHashes[i] = historyHash;
    historyHash = _hashDripsHistory(historyHash, dripsHash, drips.updateTime, drips.maxEnd);
}

As a result of having to iterate over the entire history, if the history exceeds a certain size, the total gas cost of squeezing that drip will exceed the block gas limit, making it impossible to ever squeeze from that drip. This means that all tokens from that drip would be locked in the contract until the drips are complete.

[c4-judge]

GalloDaSballo marked the issue as duplicate of #274

[c4-judge]

GalloDaSballo marked the issue as partial-50

[GalloDaSballo]

50% because of the lack of clear explanation on how this goes from a potential issues into a real grief

[c4-judge]

GalloDaSballo marked the issue as not a duplicate

[c4-judge]

GalloDaSballo changed the severity to QA (Quality Assurance)

[GalloDaSballo]

L --

[GalloDaSballo]

TODO: See #276

[c4-judge]

GalloDaSballo marked the issue as grade-c

[GalloDaSballo]

Closing for validation, will re-judge later

[c4-judge]

This previously downgraded issue has been upgraded by GalloDaSballo

[c4-judge]

This previously downgraded issue has been upgraded by GalloDaSballo

[c4-judge]

GalloDaSballo marked the issue as duplicate of #276

[c4-judge]

GalloDaSballo marked the issue as partial-50

[GalloDaSballo]

In lack of the front-run exploit am downgrading by half