Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Purchase() may fail due to exceed gas limit

bhunter

Summary

Purchase may fail due to unbounded outer and inner loops.

Vulnerability Details

The Purchase() function is defined as:

function purchase() external onlyAuthorized {

// check that we are in the Buy phase, and return round

(uint256 round,) = _checkRoundPhase(Phase.Buy);//@audit leading an unbounded outer loop

// check if the task is already processed

uint256 taskId = oraclePurchaseRequests[round];

if (isOracleRequestProcessed[taskId]) {

revert TaskAlreadyProcessed();

}

// read oracle result using the latest task id for this round

bytes memory output = oracleResult(taskId);

address[] memory assets = abi.decode(output, (address[]));//@audit this might be large

// we purchase each asset returned

for (uint256 i = 0; i < assets.length; i++) {

address asset = assets[i];

// must not exceed the roundly buy-limit

uint256 price = swan.getListingPrice(asset);//@audit the external call

spendings[round] += price;

if (spendings[round] > amountPerRound) {

revert BuyLimitExceeded(spendings[round], amountPerRound);

}

// add to inventory

inventory[round].push(asset);

// make the actual purchase

swan.purchase(asset);

}

// update taskId as completed

isOracleRequestProcessed[taskId] = true;

}

Firstly a call made to _checkRoundPhase(), which makes a call to getRoundPhase():

function _checkRoundPhase(Phase _phase) internal view returns (uint256, Phase) {

(uint256 round, Phase phase,) = getRoundPhase();

if (phase != _phase) {

revert InvalidPhase(phase, _phase);

}

return (round, phase);

}

in the function getRoundPhase, we go over marketParams in while loop. Here the loop is unbounded. After cashing the round in the Purchase(), The output of the oracle result is decoded into assetsarray. There isfor loopthat iterates over the assets array, makes external calls to swan contract. Combining previously mentioned outer loop(while loop) , the external call , the unboundedfor loopand also thatassets array could get large, it is likely that the tx will run out of gas.

Impact

Purchases may not be possible due to DOS condition.

Tools Used

Manual Review

Recommendations

Consider limiting the loops

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.