Open hats-bug-reporter[bot] opened 3 weeks ago
Can you provide an example of a function that iterates through all markets and becomes impossible to be called as a result?
Yeah, there is no functions which have a complexity related to the number of markets.
Github username: @DevPelz Twitter username: Pelz_Dev Submission hash (on-chain): 0x04eff2ab0e3258632487e501ca6602da6a9bc37711e52be608728e21c66de8c2 Severity: high
Description:
Description
The
createMarket
function allows users to create multiple markets without incurring fees. It is called internally by various functions such ascreateMultiCategoricalMarket
andcreateCategoricalMarket
, which are external functions open to user interaction. Each new market created is pushed to an array (markets.push(address(instance))
) without limits. This creates an opportunity for malicious users to flood the contract by creating numerous markets at little to no cost, causing the array to grow. As the array grows, gas costs for subsequent transactions that iterate or interact with themarkets
array increase, leading to out-of-gas errors and potential denial of service for the protocol.Functions affected include but are not limited to:
createMultiCategoricalMarket
createCategoricalMarket
Attack Scenario
A malicious user can exploit this vulnerability by continuously creating fake markets through the external functions
createMultiCategoricalMarket
andcreateCategoricalMarket
. Since there are no fees or restrictions on the number of markets created, the attacker can easily populate themarkets
array with fake addresses. As a result:markets
array increases gas costs for interactions with it.Attachments
Proof of Concept (PoC) File (PoC omitted as per request)
Revised Code File (Optional) To mitigate this vulnerability, we suggest the following adjustments:
markets
array with a mapping to store addresses more efficiently.Revised Code