Closed sherlock-admin2 closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid: the array lenght is not controlled by admin thus making it possile for a large number of the array; medium(2)
@sudeepdino008 can we figure out what is the upper bound on the number of finalization pariticipants that can be accepted before OOO occurs?
Invalid based on sherlock OOG rules
Anubis
medium
Potential Denial of Service (DoS) via Block Specimen Session (Unbounded Loops)
Summary
The finalizeSpecimenSession function in the contract iterates over an unbounded number of block specimen hashes and their respective participants. In scenarios with a high number of submissions, the gas cost could exceed block gas limits, resulting in a denial of service where sessions cannot be finalized.
Vulnerability Detail
The function finalizeSpecimenSession is designed to finalize block specimen sessions by determining the most agreed-upon specimen hash. It involves iterating over all submitted block specimen hashes and their participants to find the specimen hash with the maximum agreement. However, there are no bounds on the number of specimen hashes or participants, leading to unbounded loops. If the number of submissions is very high, the function may require more gas than the block gas limit allows, making it impossible to finalize the session, effectively causing a DoS condition.
Impact
If this function fails to execute due to excessive gas costs, it could halt important governance decisions or reward distributions, affecting the protocol's functionality and potentially causing loss of trust among participants.
Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L397 .... https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L416 .... https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L419 .... https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L374
Tool used
Manual Review
Recommendation
Introduce a mechanism to limit the number of specimen hashes and participants that can be processed in a single transaction. This can be achieved by implementing pagination or splitting the finalization process into multiple transactions. Additionally, consider setting reasonable limits on the number of specimen hashes and participants to prevent excessive gas costs.