search

sherlock-audit / 2023-11-convergence-judging

8 stars 8 forks source link

qpzm - Out-of-gas error in `CvgERC721TimeLockingUpgradeable.getTokenIdsForWallet` #217

Closed sherlock-admin closed 10 months ago

sherlock-admin commented 10 months ago

qpzm

medium

Out-of-gas error in CvgERC721TimeLockingUpgradeable.getTokenIdsForWallet

Summary

CvgERC721TimeLockingUpgradeable.getTokenIdsForWallet will cause out of gas error when the number of tokens is large.

Vulnerability Detail

If a user has a large number of tokens, the function getTokenIdsForWallet will cause out of gas error.

function getTokenIdsForWallet(address _wallet) public view returns (uint256[] memory) {
        uint256 range = balanceOf(_wallet);
        uint256[] memory tokenIds = new uint256[](range);
        for (uint256 i; i < range; i++) {
            tokenIds[i] = tokenOfOwnerByIndex(_wallet, i);
        }
        return tokenIds;
    }

Impact

Out-of-gas error

Code Snippet

https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Token/CvgERC721TimeLockingUpgradeable.sol#L38-L45

Tool used

Manual Review

Recommendation

Add parameters uint256 start and uint256 end to getTokenIdsForWallet to allow users to get tokenIds in batches.

nevillehuang commented 10 months ago

Invalid, lack of proof to show OOG and it is very unlikely that a user will own so much NFT that it causes an OOG error.