First Flight #13: Baba Marta
First Flight #13
Beginner FriendlyFoundryGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

`MartenitsaEvent::stopEvent` faces denail of DoS due to `participants` array being larger leads to users being producers for the whole lifetime

shikhar229169

Summary

On blockchain a transaction has some gaslimit, exceeding which reverts the transaction and it is not executed. A for loop which runs for a certain number of iterations such that the count of iterations exceed the gas limit for that transaction leads to out of gas error and the transaction reverts.

The stopEvent function is intended to remove all the participants from the producer role by iterating over an array containing addresses of all the participants, but participants array being above the threshold limit will consume the whole transaction's gas limit and will thus face a DoS which will result into participants being producers for the whole lifetime.

Vulnerability Details

The vulnerability is present in the MartenitsaEvent::stopEvent function where it iterates all over the length of participants in order to remove them from the producer role, but participants array length being greater than the threshold will result in transaction failure due to out of gas issue and the participants can never be removed from the producer role.

function stopEvent() external onlyOwner {
require(block.timestamp >= eventEndTime, "Event is not ended");
@> for (uint256 i = 0; i < participants.length; i++) {
isProducer[participants[i]] = false;
}
}

Impact

  • Participants can never be removed from the producer role.

  • Therefore, they will be able to produce marenitsa token and sell it on marketplace.

Tools Used

Manual Review

Recommendations

Instead of maintaining an array of all participants and iterating over it to remove them, use a different approach as mentioned below which doesn't require to maintain an array of all the participants and worrying of removing their roles.

  • For every event consider currEventNumber which starts from 1.

  • Consider a mapping mapping(address participant => uint256 eventNum) participantToLatestEvent

  • Now, when a user joins an event through joinEvent function, perform participantToLatestEvent[msg.sender] = currEventNumber

  • Now modify the implementation of isProducer function which returns true when participantToLatestEvent[msg.sender] == currEventNumber and false otherwise.

  • Hence, there is now no need to utilize the stopEvent function and remove the participants from producers role, as it will be proactively managed by the new implementation.

Thus, in this way it proactively manages all the participant's producer role.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Unbounded arrays

shikhar229169 Submitter
over 1 year ago
bube Lead Judge
over 1 year ago
bube Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Unbounded arrays

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.