rewardTokens array can get too big causing functions that iterate over it to run out of gas
Proof of Concept
In rewardTokens of twpTAP.sol, reward tokens are stored as an array which will be loop through within several functions.
For example, claimable() always loops through the rewardTokens to calculate the claimable rewards. Another function, advanceWeek() is called to advance the epoch week, again, loops through each rewardTokens, to shift forward the prior week's rewards to the current.
Currently, there isn't a way to remove tokens, which is problematic because these loops can run out of gas if rewardTokens gets too large. This is a medium likelihood event, considering that certain tokens are depreciated overtime.
Tools Used
Manual
Recommended Mitigation Steps
Consider adding a function that will allow tokens to be removed from rewardTokens.
Lines of code
https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/governance/twTAP.sol#L196 https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/governance/twTAP.sol#L413
Vulnerability details
Impact
rewardTokens
array can get too big causing functions that iterate over it to run out of gasProof of Concept
In
rewardTokens
of twpTAP.sol, reward tokens are stored as an array which will be loop through within several functions.For example,
claimable()
always loops through therewardTokens
to calculate the claimable rewards. Another function,advanceWeek()
is called to advance the epoch week, again, loops through eachrewardTokens
, to shift forward the prior week's rewards to the current.Currently, there isn't a way to remove tokens, which is problematic because these loops can run out of gas if
rewardTokens
gets too large. This is a medium likelihood event, considering that certain tokens are depreciated overtime.Tools Used
Manual
Recommended Mitigation Steps
Consider adding a function that will allow tokens to be removed from
rewardTokens
.Assessed type
DoS