Summary

PendingStakes and holders array which is stored as the state variables. If this arrays length extended to few hundreds it will potentially leads to reach the block.gasLimit and DOS.

Vulnerability Details

Function getTstTotal() have for-loop is used to get total TST tokens by doing sum of array which leads to potential DOS if holders and pendingStakes array length have few hundreds.by calling all array data which is highly gas expensive it leads to hits the block.gaslimit in one transaction.

In the above code we can see that two for-loops calls the holders and pendingStakes arrays in one transaction if two arrays have few hundreds length then it enough to make DOS by reaching block.gasLimit.

We noticed that protocol deploys on arbitrum but we can see block.gasLimit on arbitrum.

Before submitting this report the latest transaction made on arbitrum here :-

https://arbiscan.io/block/164636936

Arbitrum block gas limit :- 1,125,899,906,842,624

The simple swap transaction cost 4,227,935 on arbitrum.

Then few hundreds array length is enough to cause the DOS.

Impact

It will create DOS(denial of service) to subsequent requests.

Tools Used

Manual View

Recommendations

Add a mechanism which user can specify the min-max length of the array.

Instances

Below function which is also associated with DOS gas-limi issue
getStakeTotal()

holderPendingStakes()

deleteHolder()

deletePendingStake()

addUniqueHolder

consolidatePendingStakes()

Function which is associated with above function also lands on DOS.