refundDeposit may fail due to the gas limit DoS of bounty.getLockedFunds(depToken)
Summary
An attacker could maliciously increase the length of deposits array to become a large length, causing anyone being unable to call refundDeposit() due to the gas limit DoS of bounty.getLockedFunds(depToken) in refundDeposit().
Vulnerability Detail
In BountyCore.getLockedFunds():
function getLockedFunds(address _depositId)
public
view
virtual
returns (uint256)
{
uint256 lockedFunds;
bytes32[] memory depList = this.getDeposits();
for (uint256 i = 0; i < depList.length; i++) {
if (
block.timestamp <
depositTime[depList[i]] + expiration[depList[i]] &&
tokenAddress[depList[i]] == _depositId
) {
lockedFunds += volume[depList[i]];
}
}
return lockedFunds;
}
getLockedFunds() loops deposits array to calculate lockedFunds. But if the length of deposits is too big, it will exhaust all the gas and revert the transaction.
In addition, refundDeposit() uses getLockedFunds() to calculate availableFunds, the refundDeposit() will always be reverted due to the gas limit DoS.
An attacker could maliciously increase the length of deposits array to become a large length, causing anyone being unable to call refundDeposit().
Impact
Nobody is able to refund due to the gas limit DoS. The attacker just needs to pay a little money (for example, 1 wei for each deposit) and the cheap gas fee of Polygon to exploit this vulnerability.
Add a mapping for whitelist token and volume threshold, and check the _volume threshold in fundBountyToken. For example, users must fund at least 10 USDC each time.
GimelSec
high
refundDeposit
may fail due to the gas limit DoS ofbounty.getLockedFunds(depToken)
Summary
An attacker could maliciously increase the length of
deposits
array to become a large length, causing anyone being unable to callrefundDeposit()
due to the gas limit DoS ofbounty.getLockedFunds(depToken)
inrefundDeposit()
.Vulnerability Detail
In
BountyCore.getLockedFunds()
:getLockedFunds()
loopsdeposits
array to calculatelockedFunds
. But if the length ofdeposits
is too big, it will exhaust all the gas and revert the transaction.In addition,
refundDeposit()
usesgetLockedFunds()
to calculateavailableFunds
, therefundDeposit()
will always be reverted due to the gas limit DoS.An attacker could maliciously increase the length of
deposits
array to become a large length, causing anyone being unable to callrefundDeposit()
.Impact
Nobody is able to refund due to the gas limit DoS. The attacker just needs to pay a little money (for example, 1 wei for each deposit) and the cheap gas fee of Polygon to exploit this vulnerability.
Code Snippet
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L333-L352 https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L171-L172
Tool used
Manual Review
Recommendation
Add a mapping for whitelist token and volume threshold, and check the
_volume
threshold infundBountyToken
. For example, users must fund at least 10 USDC each time.Duplicate of #77