Czar102
commented
11 months ago Doesn't mention unconstrained gas usage in a loop. Maybe the loop has constrained gas usage and there is no issue? The Watson speculates on the result. There is also no PoC. Because of these reasons, I will invalidate the issue.
0xpep7
medium
Gas Consumption Vulnerability in Infiltration's
fulfillRandomWordsSummary
The
fulfillRandomWordsmethod within the Infiltration contract calls an internal function named_healRequestFulfilled. This internal function performs several operations, including looping over an array and making an external call to_executeERC20DirectTransfer. This design may result in a significant gas consumption issue, potentially causing thefulfillRandomWordsmethod to revert due to out-of-gas errors. This is particularly concerning for VRF (Verifiable Random Function) integration and is listed in the VRF Security Considerations documentation.Vulnerability Detail
The root cause of the vulnerability is that the
_healRequestFulfilledfunction, which is called byfulfillRandomWords, involves multiple gas-intensive operations, including an external call to_executeERC20DirectTransfer. The gas consumed by this operation may exceed the available gas limit for the transaction, leading to a revert.Impact
The impact of this vulnerability is significant, as it can lead to failed transaction execution due to out-of-gas errors. In the context of VRF integration, this is problematic, as it can add additional gas cost overhead and potentially disrupt the normal flow of operations.
Code Snippet
https://github.com/sherlock-audit/2023-10-looksrare/tree/main/contracts-infiltration/contracts/Infiltration.sol#L1096
Tool used
Manual Review
Recommendation
To address this gas consumption vulnerability, it is recommended to reconsider the design of the
_healRequestFulfilledfunction by caching the randomness