The KittyConnect::addShop
function allows the owner to add a new shop partner without any limit on the maximum number of shops. This could allow a denial-of-service attack by adding a large number of shop partners.
The KittyConnect::addShop
function takes a shop address and adds it to the mapping and array of shop partners. There is no check on the number of existing shop partners before adding a new one. An attacker who gains control of the owner account could add a very large number of shop addresses, which could cause out-of-gas errors or slow down critical functions.
The impact of having no limit on the number of shops is that it could allow a denial-of-service attack by making critical contract functions prohibitively expensive to execute due to excessive storage and looping costs.
Manual Review
Add a limit for the maximum number of shop partners allowed. Require that new shops can only be added if the number of existing shops is below this limit. A reasonable limit would be 100 or 1000 shops maximum.
This would prevent the addShop function from being abused to spam the contract with an excessive number of shops.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.