Calling `execute()` can incur high expense as the data length is not checked while `_target.call`

In execute(), _data is used to send data to the target address. But the length of the data is not checked while calling _target.call function. This could result in huge gas costs & sometimes even maybe exceeding the value to be sent resulting in denial of service.

Vulnerability Detail

File: Anchor.sol

78:          (bool success, bytes memory data) = _target.call{value: _value}(_data);

Impact

If the length of _data is too long, the call will fail leading to a revert even if all the parameters are correctly passed when calling the execute().

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Anchor.sol#L78

Tool used

Manual Review

Recommendation

Check the length of the data to be sent before executing.

sherlock-audit / 2023-09-Gitcoin-judging

Shubham - Calling `execute()` can incur high expense as the data length is not checked while `_target.call` #887

Calling `execute()` can incur high expense as the data length is not checked while `_target.call`

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

sherlock-audit / 2023-09-Gitcoin-judging

Shubham - Calling `execute()` can incur high expense as the data length is not checked while `_target.call` #887

Calling execute() can incur high expense as the data length is not checked while _target.call

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

Calling `execute()` can incur high expense as the data length is not checked while `_target.call`