search

hats-finance / Euro-Dollar-0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd

Audit competition repository for Euro-Dollar (0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd)
https://hats.finance
MIT License
3 stars 2 forks source link

Potential Denial-of-Service in Validator via Bulk Operations Without Size Limits #77

Open hats-bug-reporter[bot] opened 2 weeks ago

hats-bug-reporter[bot] commented 2 weeks ago

Github username: -- Twitter username: 4n0n_x Submission hash (on-chain): 0xe89316f61cbe0531bea147aff5576e14a7a75dc5387913aa8dd12f86ca3fcb0f Severity: low

Description: Description\ The whitelist and blacklist functions in Validator accept arrays of addresses without limiting their size. Large arrays could cause transactions to exceed the block gas limit, leading to transaction failures and potential denial-of-service.

Impact\ A malicious user could attempt a bulk operation that exceeds the gas limit, preventing the function from executing. This could temporarily disrupt the system by making these functions unusable.

Recommendation\

  1. Set a Limit on the Number of Addresses per Transaction: Enforce a reasonable limit on the number of addresses processed in each transaction.

  2. Consider Batch Processing with Off-Chain Signatures: For higher efficiency, consider implementing batch processing with off-chain signatures to reduce on-chain gas consumption.

AndreiMVP commented 2 weeks ago

This is not an issue. The lister can submit a list of a length that doesn't revert due to gas limit

A malicious user could attempt a bulk operation that exceeds the gas limit, preventing the function from executing

Well, bad for him.

Set a Limit on the Number of Addresses per Transaction

The gas limit is that limit