sherlock-admin2
commented
9 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { No impact}
Closed sherlock-admin closed 9 months ago
sherlock-admin2
commented
9 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { No impact}
nevillehuang
commented
9 months ago Invalid based on sherlock OOG rules
- Out of Gas: Issues that result in Out of Gas errors either by the malicious user filling up the arrays or there is a practical call flow that results in OOG can be considered a valid medium or in cases of blocking all user funds forever maybe a valid high. Exception: In case the array length is controlled by the trusted admin/owner or the issue describes an impractical usage of parameters to reach OOG state then these submissions would be considered as low.
bareli
medium
Gas Limitations
Summary
Gas Limitations: The updateFundingRate function could potentially run out of gas if the arrays provided are too long, as it loops through all elements without any gas checks.
Vulnerability Detail
function updateFundingRate(address[] calldata perpList, int256[] calldata rateList) external onlyOwner { for (uint256 i = 0; i < perpList.length;) { address perp = perpList[i]; int256 oldRate = IPerpetual(perp).getFundingRate(); uint256 maxChange = getMaxChange(perp); require((rateList[i] - oldRate).abs() <= maxChange, "FUNDING_RATE_CHANGE_TOO_MUCH"); fundingRateUpdateTimestamp[perp] = block.timestamp; unchecked { ++i; } } IDealer(dealer).updateFundingRate(perpList, rateList); }
Impact
Code Snippet
https://github.com/sherlock-audit/2023-12-jojo-exchange-update/blob/main/smart-contract-EVM/src/FundingRateUpdateLimiter.sol#L37
Tool used
Manual Review
Recommendation
limit on array length