Closed sherlock-admin2 closed 6 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { The length of the array is controled by a vetoTransaction() function which has an onlyOwner modifier}
zzykxx
medium
checkTransaction()
might run out of gas because of an unbounded loopSummary
The function
checkTransaction()
inSafeGuard.sol
might get to a state where it always reverts because it loops over an array that can only increase in size.Vulnerability Detail
The function
checkTransaction()
is called by a gnosis safe as a last layer of protection to check whether a transaction should be executed or not. The function is meant to revert if the owner vetoed the transaction viavetoTransaction()
.The function
vetoTransaction()
pushes a new value in the arraynonces
every time is called and the functioncheckTransaction()
loops over all the elements ofnonces
every time is called:It's possible for the
nonces
array to get big enough to cause all calls to revert because it runs out of gas.Impact
Calls from the gnosis safe to
checkTransaction()
might always revert, causing a DOS.Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/zodiac/core/SafeGuard.sol#L62-L75
Tool used
Manual Review
Recommendation
Retrieve the
nonce
viamsg.sender.nonce() - 1
instead of looping through all the nonces.Duplicate of #151