Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Gas Limit and Denial of Service (DoS) Vulnerability

invcbull

Summary

The claimAllRewards function may lead to a Denial of Service (DoS) if the number of rewards owned by a user is excessively large. This can cause gas consumption to exceed the block gas limit, preventing users from successfully claiming their rewards.

Vulnerability Details

The function iterates through rewardsOwned[msg.sender] to calculate the total value of rewards. If a user has a large number of rewards, the iteration may consume excessive gas, potentially causing the transaction to fail.

Vulnerable Code Snippet

function claimAllRewards() public {
uint256 totalValue = 0;
for (uint256 i = 0; i < rewardsOwned[msg.sender].length; i++) {
totalValue += rewardsOwned[msg.sender][i].value;
}
require(totalValue > 0, "No rewards to claim");

(bool success,) = payable(msg.sender).call{value: totalValue}("");
require(success, "Transfer failed");

delete rewardsOwned[msg.sender];
}

Impact

Users who invest in purchasing boxes for a chance to win rewards could find themselves unable to claim their earnings due to this vulnerability, leading to significant frustration and a loss of faith in the contract's reliability.

Since rewards can only be obtained through these purchases and a stroke of luck, malicious actors could exploit this flaw by artificially inflating users' reward lists, effectively locking them out of their hard-earned prizes. This means that all users—especially those who have invested time and resources into buying boxes—face the risk of encountering this Denial of Service (DoS) vulnerability.

If left unaddressed, this issue could severely damage the user experience and erode confidence in the platform's integrity

Tools Used

manual review

Recommendations

Implement a maximum limit on the number of rewards that can be claimed in a single transaction to prevent excessive gas usage and ensure smoother interactions for all users. This change not only protects the network from potential Denial of Service (DoS) attacks but also enhances the overall user experience by making reward claims more manageable

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Gas Limit Exhaustion in `claimAllRewards` Function

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!