TSender
Cyfrin
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unbounded loop in `TSender::areListsValid` could lead to a DOS attack

topg

Summary

The areListsValid function is designed to validate two arrays: recipients and amounts.
However, the function's implementation includes a nested loop that results in quadratic time complexity 𝑂(n2) . This complexity can make the function susceptible to a Denial of Service (DoS) attack.

Vulnerability Details

The nested loop, which checks for duplicate addresses, leads to a quadratic time complexity of 𝑂(n2). This can exhaust the gas limit, causing the transaction to fail and potentially disrupting the smart contract's functionality.

Impact

  1. Resource Exhaustion: The function could consume an excessive amount of gas, leading to out-of-gas exceptions.

  2. Service Disruption: Legitimate users may be unable to interact with the contract if the function call consistently runs out of gas.

Tools Used

Manual review

Recommendations

Use a more efficient method to check for duplicates, such as a mapping. This reduces the time complexity from 𝑂(n2) to 𝑂(n)

function areListsValid(address[] calldata recipients, uint256[] calldata amounts) external pure returns (bool) {
if (recipients.length == 0 || recipients.length != amounts.length) {
return false;
}
mapping(address => bool) addressSet;
for (uint256 i; i < recipients.length; i++) {
if (recipients[i] == address(0) || amounts[i] == 0) {
return false;
}
if (addressSet[recipients[i]]) {
return false;
}
addressSet[recipients[i]] = true;
}
return true;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.