sherlock-admin
commented
9 months ago 1 comment(s) were left on this issue during the judging contest.
0xAadi commented:
Closed sherlock-admin closed 9 months ago
sherlock-admin
commented
9 months ago 1 comment(s) were left on this issue during the judging contest.
0xAadi commented:
LouisTsai
medium
Vulnerabilities in gas consumption and native token handling in internal
_fillfunction.Summary
The code is vulnerable to run out of gas for execution due to a nested for-loop in the
_fillfunction and the complex computation, which may lead to excessive gas consumption and transaction failures. Additionally, there is a concern regarding the recipient's ability to receive native tokens, which also revert the transaction.Vulnerability Detail
_fillfunction can result in a vulnerability. The code iterates over each resolved order and, for each order, iterates over its output tokens to transfer ERC20 tokens. If the number of output tokens or the complexity of the transfer operation is high, it may lead to gas exhaustion, causing transaction failures. It is more likely to occur inexecuteBatchoperation.Missing Receive/Fallback Function in Recipient
If the recipient is a contract and does not implement the receive or fallback function, the transfer of native token will fail, leading to the revert of all the execution.
Impact
An user might not be able to fill the order due to the nested for-loop that cause excessive gas consumption or the lack of receive function and fallback function in native token transfer.
It will occurs in execute, executeWithCallback, executeBatch and executeBatchWithCallback.
Code Snippet
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L233
Tool used
Manual Review
Recommendation
Restructure the code to optimize gas consumption, consider batch processing, or implement gas limits to prevent potential vulnerability. This will help ensure the reliability and security of the contract under varying gas conditions.