ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unbounded iteration in whitelist retrieval may lead to gas limit exhaustion

sabit

Summary

Unbounded iteration in whitelist retrieval may lead to gas limit exhaustion.

Vulnerability Details

The get_white_listed_collections function iterates through a linked list of whitelisted collections without imposing any limit on the number of iterations.

This unbounded loop could hit gas limits for excessively long lists.

fn get_white_listed_collections(self: @ContractState) -> Span<ContractAddress> {
let mut white_listed = array![];
let mut current = self.white_listed_head.read();
loop {
if current.is_zero() {
break;
}
let (enabled, next) = self.white_listed_list.read(current);
if !enabled {
break;
} else {
white_listed.append(current);
current = next;
}
};
white_listed.span()
}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L330C8-L346C10

Impact

The function may fail due to out-of-gas errors if the whitelist becomes too large.

Tools Used

Manual review

Recommendations

Implement a maximum iteration limit to prevent potential gas limit issues.

Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Appeal created

sabit Submitter
over 1 year ago
n0kto Lead Judge
over 1 year ago
n0kto Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!