Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

[L-1] Potential Gas Limit Exhaustion in claimAllRewards Function'

ghufranhassan1

Summary

The claimAllRewards function may run out of gas if a user owns a large number of rewards, preventing successful execution.

function claimAllRewards() public {
uint256 totalValue = 0;
for (uint256 i = 0; i < rewardsOwned[msg.sender].length; i++) {
totalValue += rewardsOwned[msg.sender][i].value;
}
require(totalValue > 0, "No rewards to claim");
(bool success,) = payable(msg.sender).call{value: totalValue}("");
require(success, "Transfer failed");
delete rewardsOwned[msg.sender];
}

Vulnerability Details

The function iterates over the entire rewardsOwned array to calculate the total value of rewards. If the array is too large, the transaction could exceed the block gas limit, causing it to fail.

Steps to Exploit:

  1. A user accumulates a large number of rewards.

  2. Attempts to call claimAllRewards result in transaction failure due to gas exhaustion.

Impact

Users with many rewards may be unable to claim them all at once, leading to a denial of service for claiming rewards.

Tools Used

Manual Review

Recommendations

  • Implement a batching mechanism to allow users to claim rewards in smaller chunks.

  • Consider optimizing the reward storage or calculation logic to reduce gas consumption.

  • Alternatively, impose a limit on the number of rewards that can be claimed in a single transaction.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Gas Limit Exhaustion in `claimAllRewards` Function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!