Summary

The absence of an upper bound on the uint256[] array in _consumeMessageAutoWithdraw and _consumeMessageStarknet functions may lead to gas limit issues, causing transactions to fail. This vulnerability could disrupt the contract's normal operations, particularly for users with large requests, resulting in a potential denial of service.

Vulnerability Details

The functions _consumeMessageAutoWithdraw and _consumeMessageStarknet take an unbounded uint256[] array (request) as input. Without a limit on the array size, a large input could lead to excessive gas consumption, potentially causing the transaction to fail due to gas limits. This can disrupt the contract's functionality and prevent users from successfully withdrawing tokens or consuming messages.

Impact

If the array size is too large, transactions may run out of gas and fail, leading to a poor user experience and potential denial of service for legitimate users. This issue could make the contract unreliable, especially for users attempting to process large requests, as they may be unable to complete their transactions.

Tools Used

Recommendations

Add validation to ensure the array size does not exceed reasonable limits, or at least document this potential issue.

Batch Processing: Introduce batch processing for large arrays, allowing users to split their requests into smaller, more manageable transactions to avoid gas limit issues.