Calling execute() can incur high expense as the data length is not checked while _target.call
In execute(), _data is used to send data to the target address. But the length of the data is not checked while calling _target.call function. This could result in huge gas costs & sometimes even maybe exceeding the value to be sent resulting in denial of service.
Shubham
medium
Calling
execute()
can incur high expense as the data length is not checked while_target.call
In
execute()
,_data
is used to send data to the target address. But the length of the data is not checked while calling_target.call
function. This could result in huge gas costs & sometimes even maybe exceeding the value to be sent resulting in denial of service.Vulnerability Detail
Impact
If the length of
_data
is too long, the call will fail leading to a revert even if all the parameters are correctly passed when calling theexecute()
.Code Snippet
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Anchor.sol#L78
Tool used
Manual Review
Recommendation
Check the length of the data to be sent before executing.