c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor disputed
Closed code423n4 closed 1 year ago
c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor disputed
c4-judge
commented
1 year ago dmvt marked the issue as unsatisfactory: Insufficient quality
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/utils/MultiRewardStaking.sol#L362
Vulnerability details
Impact
View function return's array of IERC20. There is no limit for this array
Proof of Concept
In one time owner of contract can add too much token's and it would take more and more gas to return this transation. Allocation in memory is not so cheap. After 200+ or more token's. Function
getAllRewardsTokens()became unavailable. There would be always revert.Tools Used
Foundry for finding gas limit
Recommended Mitigation Steps