First Flight #12: Kitty Connect
First Flight #12: Kitty Connect
Beginner FriendlyFoundryNFTGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

`KittyConnect::addShop` function should have Max Shop limit for best practice

yaioxy

Summary

The KittyConnect::addShop function allows the owner to add a new shop partner without any limit on the maximum number of shops. This could allow a denial-of-service attack by adding a large number of shop partners.

Vulnerability Details

The KittyConnect::addShop function takes a shop address and adds it to the mapping and array of shop partners. There is no check on the number of existing shop partners before adding a new one. An attacker who gains control of the owner account could add a very large number of shop addresses, which could cause out-of-gas errors or slow down critical functions.

Impact

The impact of having no limit on the number of shops is that it could allow a denial-of-service attack by making critical contract functions prohibitively expensive to execute due to excessive storage and looping costs.

Tools Used

Manual Review

Recommendations

Add a limit for the maximum number of shop partners allowed. Require that new shops can only be added if the number of existing shops is below this limit. A reasonable limit would be 100 or 1000 shops maximum.

+ uint256 public constant MAX_SHOPS = 100;
function addShop(address shopAddress) external onlyKittyConnectOwner {
+ require(s_kittyShops.length < MAX_SHOPS, "Max shops reached");
s_isKittyShop[shopAddress] = true;
s_kittyShops.push(shopAddress);
emit ShopPartnerAdded(shopAddress);
}

This would prevent the addShop function from being abused to spam the contract with an excessive number of shops.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.