If attackers call DepositManager.fundBountyToken() enough times, the deposits array will be large enough to make getLockedFunds revert with an out-of-gas error
Impact
Funders cannot get refunds.
The attack is cheap (low gas on Polygon + minimum deposit is 1 wei), making it extremely likely to happen.
joestakey
medium
refundDeposit
can be DOSSummary
Attackers can fill up the
deposits
array to DOS refundsVulnerability Detail
DepositManager.refundDeposit()
computes the funds available by callingbounty.getLockedFunds
This function loops through the
deposits
array:deposits
grows on every deposit:If attackers call
DepositManager.fundBountyToken()
enough times, thedeposits
array will be large enough to makegetLockedFunds
revert with an out-of-gas errorImpact
Funders cannot get refunds. The attack is cheap (low gas on Polygon + minimum deposit is 1 wei), making it extremely likely to happen.
Code Snippet
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L341-L349
Tool used
Manual Review
Recommendation
You can either add an upper limit to
deposits
, or add a minimum deposit amount to make the attack too expensive.Duplicate of #77