Gas Limit Exceed During AirDrops

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L178-L185

Vulnerability details

Impact

This vulnerability could allow an attacker to deliberately drain the gas of the contract, preventing users from being able to properly claim airdropped tokens. It also risks the distribution failing or only completing partially if too many small amounts are distributed in one transaction.

Proof of Concept

The airDropTokens function does not limit the number or size of airdrops that can be distributed in a single transaction:

    function airDropTokens(uint256 mintIndex, address _recipient, string memory _tokenData, uint256 _saltfun_o, uint256 _collectionID) external {
        require(msg.sender == minterContract, "Caller is not the Minter Contract");
        collectionAdditionalData[_collectionID].collectionCirculationSupply = collectionAdditionalData[_collectionID].collectionCirculationSupply + 1;
        if (collectionAdditionalData[_collectionID].collectionTotalSupply >= collectionAdditionalData[_collectionID].collectionCirculationSupply) {
            _mintProcessing(mintIndex, _recipient, _tokenData, _collectionID, _saltfun_o);
            tokensAirdropPerAddress[_collectionID][_recipient] = tokensAirdropPerAddress[_collectionID][_recipient] + 1;
        }
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Add gas limit validation to prevent running out of gas: Distribute tokens in batches rather than one large transaction

Assessed type

Error

[c4-pre-sort]

141345 marked the issue as duplicate of #486

[c4-pre-sort]

141345 marked the issue as sufficient quality report

[c4-pre-sort]

141345 marked the issue as not a duplicate

[c4-pre-sort]

141345 marked the issue as duplicate of #1767

[c4-judge]

alex-ppg marked the issue as not a duplicate

[c4-judge]

alex-ppg marked the issue as duplicate of #1509

[c4-judge]

alex-ppg marked the issue as unsatisfactory: Invalid