stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: low
Valid

Unbounded Loop in getLockIdsByOwner

Summary

Setting the maximum amount of loops to a variable that only ever grows in size, namely lastLockId will eventually exceed the block gas limit and cause the function to revert.

It is important to note that the block gas limit constraint is applicable to view functions as well, despite their generally higher gas allowance. This measure serves as a safeguard against potential denial-of-service attacks targeting RPC providers.

Impact

While the current implementation may not pose immediate concerns, the function's long-term reliability is questionable. The issue is expected to manifest once the count of locks reaches an extensive scale, potentially in the tens or hundreds of thousands.

Vulnerability Details

Tools Used

Manual Review

Recommendations

To enhance the contract's efficiency and manageability, I recommend implementing a bounded iteration approach by introducing maximum and minimum index parameters. This modification will enable contract administrators to execute the function in segmented steps while aggregating the results to achieve the desired outcome. Please note that this adjustment necessitates a refactoring of the existing function, including the removal of the assert and break statements. Depending on the expected number of users on the platform, this may never become an issue.

Updates

Lead Judging Commences

0kage Lead Judge
over 1 year ago
0kage Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

unbounded-locks

getLockIdsByOwner could be very gas intensive and revert

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.