ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

a DoS in `whiteList()` function in `Bridge.sol` can get DoSed at some point

DPS

Summary

The _whiteListCollection() function which is inside whiteList() is used to whitelist new collections. The problem is that everytime we whitelist one it is being pushed in the _collections array but when being removed from the whitelist it is not getting popped which can lead to DoS because of Out of Gas at some point.

Vulnerability Details

This is the _whiteListCollection() function that is being called inside whiteList() function in Bridge.sol

function _whiteListCollection(address collection, bool enable) internal {
if (enable && !_whiteList[collection]) {
bool toAdd = true;
uint256 i = 0;
>> while (i < _collections.length) {
if (collection == _collections[i]) {
toAdd = false;
break;
}
i++;
}
if (toAdd) {
>> _collections.push(collection);
}
}
_whiteList[collection] = enable;
}

As we can see we are iterating through the _collections array everytime which is a storage variable, so as we keep adding new collections this function will become more and more expensive in terms of gas and at some point it will get DoSed

Impact

High because a functionality that is being used in every core function in the protocol can get DoSed and it will break the whole protocol

Tools Used

Manual Review

Recommendations

At the end of the function add a check if the enable is set to false and inside it just remove the collection from the _collections array

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

invalid-unwhitelist-on-L1-do-not-pop-from-array

LightChaser: Low-19, Gas-10

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.