search

sherlock-audit / 2023-04-splits-judging

4 stars 1 forks source link

0xmuxyz - Due to reaching a gas limit, the transaction of the PassThroughWalletImpl#`passThroughToken()` will be reverted #86

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0xmuxyz

medium

Due to reaching a gas limit, the transaction of the PassThroughWalletImpl#passThroughToken() will be reverted

Summary

The transaction will be reverted due to reaching a gas limit in the for-loop within the PassThroughWalletImpl#passThroughToken() if too many number of tokens would be assigned into the tokens_ array parameter by a caller when the PassThroughWalletImpl#passThroughToken() would be called.

Vulnerability Detail

When a user send some funds (tokens_) to the $passThrough address, the PassThroughWalletImpl#passThroughToken() would be called.

Within the PassThroughWalletImpl#passThroughToken(), multiple tokens can be assigned via the tokens_ array parameter and then each token would be transferred into the _passThrough by using for-loop like this: https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-pass-through-wallet/src/PassThroughWalletImpl.sol#L120 https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-pass-through-wallet/src/PassThroughWalletImpl.sol#L124-L128

    /// send tokens_ to $passThrough
    function passThroughTokens(address[] calldata tokens_) external pausable returns (uint256[] memory amounts) { /// @audit
        address _passThrough = $passThrough;
        uint256 length = tokens_.length;
        amounts = new uint256[](length);
        for (uint256 i; i < length;) {  /// @audit
            address token = tokens_[i];
            uint256 amount = token._balanceOf(address(this));
            amounts[i] = amount;
            token._safeTransfer(_passThrough, amount);   /// @audit
            ...
        }
        ...

However, there is no limitation that how many number of tokens a caller can be assigned into the tokens_ array parameter. This lead to reaching a gas limit and therefore this transaction will be reverted in the for-loop if a user assign too many number of tokens into the tokens_ array parameter.

Impact

The transaction will be reverted due to reaching a gas limit in the for-loop within the PassThroughWalletImpl#passThroughToken().

Code Snippet

Tool used

Manual Review

Recommendation

Consider setting a limitation that how many number of tokens a caller can be assigned into the tokens_ array parameter when the PassThroughWalletImpl#passThroughToken() would be called.