Open hats-bug-reporter[bot] opened 2 weeks ago
When such high number of withdrawal requests are queued and will be processed by owner then it will result in revert and denial of service as the function would have crossed OASIS 15 million gas limit. This revert would make the function fail.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xe36ffdcad0671944fd12f22f06d88fea0b397e11941f13e721f1314349e9ebbd Severity: medium
Description: Description\
BaseMinterWithdrawal.sol
provides ERC721 withdrawal requests. The owner of contract can set minWithdrawalAmount which must be met in order to callrequestWithdrawal()
function by users. The withdrawal request is later queued and processed by owner viaprocessWithdrawals()
function:withdrawalIds
is passed as an dynamic array argument which does not have fixed length to process users's withdrawals.This issue can result in vulnerabilities like a function within a contract iterates through an array or list i.e
withdrawalIds
. If this array becomes excessively large, iterating over it could consume gas past the block limit.If this results in out of Gas vulnerability then the impact would be:
1) Denial of Service (DoS):
processWithdrawals()
function affected by this vulnerability can be rendered unusable, causing service disruptions.2) Locked Funds: There could be temporarary locked funds due to failure of withdraw request processing.
OASIS sapphire has block gas limit of 15 million which is less than Ethereum's 30M block gas limit. If the minimum withdrawal amount is 1 or 5, the malicious user can create high number of withdrawal requests as number of withdrawalIds as NFT would be minted to malicious users. When such high number of withdrawal requests are queued and will be processed by owner then it will result in revert and denial of service as the function would have crossed OASIS 15 million gas limit. This revert would make the function fail.
Recommendations\ Consider having upper bound check on number of
withdrawalIds
inprocessWithdrawals()
to allow them to be processed at a time.