The _white_list_collection(...)
function called internally by white_list_collection(...)
is used to whitelist/blacklist a collection. However the function is wrongly implemented and will be stuck in an infinite loop depending on the position of the collection to be disabled / blacklisted thus breaking core protocol functionality and leading to gas exhaustion (DOS).
As shown below, the list of whitelisted collections always has a collection a the head stored in the white_listed_head
cached on L496 as prev
and the collection in this position is updated whenever the collection in that position is updated. Also, the white_listed_list
contains all the whitelisted tokens.
Collection are added as shown in the sequence illustrated below in a linked list, (where next
is the end of the list and is initially set to zero until a new collection is added)
Each collection has its next pair (per se)
when blacklisting, L516 is executed and there is no problem with blaclisting c1
and c2
.
However, when disabling c3
and higher index collections, the loop on L525 will be executed and as follows
Admin wants to disable c3
on L496 prev == c1
L526 is executed and next == c2
prev
is not updated to the next
value of c2
and as such when the loop iterates a second time, prev == c1
and next == c2
c3
is never accessed and the loop keeps on iterating and is stuck in an infinite loop leading to a DOS in the contract.
Notice that this missing update was done during whitelisting on L513.
The reason why the test passed for 3 collections was because the 3rd collection was never removed first and as such this scenario was not caught in the tests.
Disabling/blacklisting some collections will not be successful and could cause the function to be stuck in an infinite loop and perhaps a DOS. This breaks core protocol functionality.
Manual review.
Modify the _white_list_collection(...)
function as shown below
Likelyhood: High, owner can only unwhitelist the 2 first collections. Impact: Medium/High, owner has to empty the list to remove any collection, and replace all the new ones.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.