Open hats-bug-reporter[bot] opened 1 month ago
Unbounded Contributors yes, but DoS is not happening, because multiple claims can be created for a single bounty
thank you @FHieser , yes the issue is invalid, besides that, it creates a lot of gas consumption for addClaim
function as well.
if the list is too large, the addClaim
function reverts as well, besides that bountyManager
is trusted.
function test_DoSInProcessPayments() public {
uint total_contributors = 1000;
ILM_PC_Bounties_v1.Contributor[] memory contributors = new ILM_PC_Bounties_v1.Contributor[](total_contributors);
for (uint i = 0; i < total_contributors; i++){
contributors[i].addr = address(uint160(uint256(keccak256(abi.encodePacked(i)))));
contributors[i].claimAmount = 1;
}
bountyManager.addBounty(1, 100_000_000, bytes("")); // Id 1
uint gasBefore1 = gasleft();
bountyManager.addClaim(1, contributors, bytes("")); // Id 2
uint gasAfter1 = gasleft();
console.log("Gas Used to call addClaimfunction: ", gasBefore1 - gasAfter1);
// notClaimed
_token.mint(address(_fundingManager), 100_000_000);
uint gasBefore = gasleft();
bountyManager.verifyClaim(2, contributors);
uint gasAfter = gasleft();
console.log("Gas Used to call verifyClaim function: ", gasBefore - gasAfter);
}
Logs:
[PASS] test_DoSInProcessPayments() (gas: 234525792)
Logs:
Gas Used to call addClaim function: 113234911
Gas Used to call verifyClaim function: 120559045
Github username: @erictee2802 Twitter username: 0xEricTee Submission hash (on-chain): 0x9d5ecfac9dce86adb360222a580336918a27ed62e53ad5e7a5a445c615ad770f Severity: medium
Description: Description
The
contributors
length inLM_PC_Bounties_v1.sol
is unbounded, and the length ofcontributors
is looped inLM_PC_Bounties_v1.sol::verifyClaim
. If the length ofcontributors
is too large, iterating over them will become very costly and can result in a gas cost that is over the block gas limit. This will mean that a transaction cannot be executed anymore, causing functions such asLM_PC_Bounties_v1.sol::verifyClaim
in a state of DoS.Attack Scenario
Denial of service in functions such as
LM_PC_Bounties_v1.sol::verifyClaim
if thecontributors
length is large. As a result, the legitimate payments cannot be processed properly and causing loss of funds to user.Attachments
NA
Add the foundry test
test_DoSInProcessPayments
intest/modules/logicModule/paymentClient/LM_PC_Bounties_v1.t.sol
:Run the test with command:
forge test --mt test_DoSInProcessPayments -vv
.Foundry Results:
The gas cost when
total_contributors
set to10
:The gas cost when
total_contributors
set to1000
:Noticed that the gas cost increase exponentially when more orders are created.
Consider checking reasonable minimum value for
contributors
parameter inContributors[]
struct to prevent putting protocol in the state of DoS.