Open hats-bug-reporter[bot] opened 1 week ago
Additionally orgHash
array could be infinitely large and all functions, which are using getOrgHashBySafe
DoS-ed, or made super expensive:
function getOrgHashBySafe(address safe) public view returns (bytes32) {
for (uint256 i; i < orgHash.length;) {
if (getSafeIdBySafe(orgHash[i], safe) != 0) {
return orgHash[i];
}
unchecked {
++i;
}
}
return bytes32(0);
}
duplicate of #10
Github username: -- Twitter username: -- Submission hash (on-chain): 0x5eef71904120d4f553dbf649a2f938bd7fd4f0dc841bb54613b3137c955fcb13 Severity: high
Description: Description\ Because of the way palmera iterates over all
indexId
, which is a variable indefinitely increasing, functions which are using it to check/fetch things could be DoS with OOG reverts. One such function is the Palmera Guard, when caller islead
:You can see that there is a for loop until
palmeraModule.indexId()
. Now we can check that anybody can indefinitely increase this var by creating new organizations with random names:... safeId = indexId++; safes[org][safeId] = DataTypes.Safe({ tier: DataTypes.Tier.ROOT, name: name, lead: address(0), safe: newRootSafe, child: new uint256, superSafe: 0 }); indexSafe[org].push(safeId); ... } For loop may become so big that the block gas limit is hit. This is a major issue because the functionality is bricked. If more places, where the following is a problem are found, It will be posted in the comments.
Attack Scenario\ Describe how the vulnerability can be exploited.
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)