ArkProject: NFT Bridge

Summary

If the token_ids array is too large, the gas limit may be exceeded, resulting in the transaction being unable to be packaged and confirmed.

Vulnerability Details

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/starknet/src/bridge.cairo#L247

In the deposit_tokens method, the size of the token_ids array is not effectively limited. If the user provides a very large array, the contract will consume too much gas during processing and may exceed the maximum gas limit of the blockchain.

• Gas consumption: Each token_ids element processed consumes a certain amount of gas. The larger the array, the more gas is required to process. If the gas exceeds the block limit or the limit provided by the user, the transaction will fail and roll back.

• Block limit: Each block of the blockchain has a maximum gas limit. If the gas required for a transaction exceeds this limit, the transaction will not be included in the block and will never be confirmed.

• Processing time: Processing large amounts of data may result in long execution times, affecting the user experience and may cause transaction failures.

Impact

• Transaction failure: If the gas consumption is too high, the transaction will not be successfully executed and the user's funds will be wasted.

• High fees: Even if the transaction is successful, the high gas consumption of processing large arrays will result in very high transaction fees.

• Node resource consumption: Large-scale data processing will bring additional burden to blockchain nodes, affecting the normal operation and synchronization of nodes.

Tools Used

VSCode

Recommendations

• Limit array size: Explicitly limit the maximum length of the token_ids array in the contract to prevent the passing of too large an array.

• Batch processing: It is recommended that users submit a large number of token_ids in batches to avoid excessive gas fees for a single transaction.