MyCut

The ContestManager smart contract is vulnerable to a potential Denial of Service (DoS) attack due to the unbounded growth of the contests array. As the array grows with each new contest, functions that interact with this array, such as getContests, can become increasingly gas-intensive. Eventually, the contract could reach a point where these functions exceed the block gas limit, causing them to fail and rendering the contract unusable.

Vulnerability Details

The vulnerability is associated with the contests array, which stores the addresses of all contests created by the ContestManager contract. Functions like getContests return this entire array.

Scenario:
Each time a contest is created using the createContest function, the address of the new Pot contract is added to the contests array.
Over time, as more contests are created, the size of the contests array grows.
Functions that return or iterate over this array, such as getContests, require more gas to execute as the array becomes larger.
Once the gas required exceeds the block gas limit, these functions will fail, effectively locking out users from retrieving or interacting with contest data.

Impact

As the contests array grows, functions like getContests may start failing due to excessive gas consumption, making it impossible for users to retrieve contest data.

Tools Used

Manual Review

Recommendation

Allow removal of inactive or completed contests to manage array size.
Consider using mappings or other data structures that do not require iteration over all entries.