MyCut

Summary:

The closePot function contains an unbounded for loop that iterates over the claimants array to distribute rewards. If the number of claimants is large, the loop could exceed the block gas limit, resulting in a denial-of-service (DoS) condition where the function fails to execute.

Vulnerability Details:

In the closePot function, there is a for loop that iterates through the claimants array to transfer rewards:

If the claimants array becomes too large, the gas required to execute all the iterations and subsequent reward transfers may exceed the block gas limit. This would prevent the transaction from being successfully mined, effectively causing a denial-of-service condition where the rewards cannot be distributed, and the pot cannot be closed.

Impact:

The impact of this vulnerability includes:

• Denial of Service: If the loop consumes more gas than the block gas limit allows, the closePot function will revert. This prevents the contract from executing critical functions such as reward distribution and pot closure.

• Locked Funds: Funds meant to be distributed to claimants could remain locked in the contract if the loop cannot be executed due to gas limits.

• User Frustration: Users expecting to receive rewards may be frustrated by the inability to claim them due to the transaction failures caused by the gas limitations.

Tools Used:

• Manual Review

Recommendations:

To mitigate the risk of a denial-of-service attack due to an unbounded loop, consider the following approaches:

1. Batch Processing: Implement batch processing to distribute rewards in smaller batches over multiple transactions. This would prevent the function from exceeding the block gas limit.

2. Gas Limit Checks: Introduce a check for the gas limit before the loop execution and halt the operation if the number of claimants is too large to process in a single transaction.

3. Off-Chain Calculations: Use off-chain mechanisms to calculate and submit reward distributions to reduce on-chain computation.