`MartenitsaVoting:: _tokenIds` Array length is increased for every vote which can be exploited by a Malicious user to gas grief owner when the winner is announced
Summary
The MartenitsaVoting:: _tokenIds array length is increased for every vote and is completely iterated when the owner calls MartenitsaVoting::announceWinner this fact can be exploited by a malicious user to drastically increase _tokenId array length .
Impact
It can cost owner a lot of gas when he calls MartenitsaVoting::announceWinner function.
Proof of Code
-
The
MartenitsaVoting::voteForMartenitsafunction has the following line of code_tokenIds.push(tokenId);which pushes every token id into the_tokenIdsarray which drastically increases the array length -
When the owner calls
MartenitsaVoting::announceWinnerthe code reaches the following line of code
for (uint256 i = 0; i < _tokenIds.length; i++)where the whole length of_tokenIdsarray length is iterated -
Malicious user can Vote through multiple addresses to increase this array length resulting in a gas grief attack for the owner
Recommendations
In the MartenitsaVoting::voteForMartenitsa checking for token id before pushing it will solve the issue ,make the following changes to MartenitsaVoting::voteForMartenitsa
Since ids to which users can vote belong to trusted producers and are limited there is no risk of an increased array length or high gas cost.
Lead Judging Commences
Unbounded arrays
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.