ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unbounded iteration in whitelist retrieval may lead to gas limit exhaustion

sabit

Summary

Unbounded iteration in whitelist retrieval may lead to gas limit exhaustion.

Vulnerability Details

The get_white_listed_collections function iterates through a linked list of whitelisted collections without imposing any limit on the number of iterations.

This unbounded loop could hit gas limits for excessively long lists.

fn get_white_listed_collections(self: @ContractState) -> Span<ContractAddress> {
let mut white_listed = array![];
let mut current = self.white_listed_head.read();
loop {
if current.is_zero() {
break;
}
let (enabled, next) = self.white_listed_list.read(current);
if !enabled {
break;
} else {
white_listed.append(current);
current = next;
}
};
white_listed.span()
}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L330C8-L346C10

Impact

The function may fail due to out-of-gas errors if the whitelist becomes too large.

Tools Used

Manual review

Recommendations

Implement a maximum iteration limit to prevent potential gas limit issues.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Appeal created

sabit Submitter
11 months ago
n0kto Lead Judge
11 months ago
n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.