Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Potential Dos in MembershipERC1155::burnBatchMultiple function

aye__aye

Summary

In the MembershipERC1155::burnBatchMultiplefunction, while burning the tokens of multiple users can cause the function to run out of gas leading to a potential Denial of service.

function burnBatchMultiple(address[] memory froms) public onlyRole(OWP_FACTORY_ROLE) {

=> Dos

for (uint256 j = 0; j < froms.length; ++j) {

for (uint256 i = 0; i < 7; ++i) {

uint256 amount = balanceOf(froms[j], i);

if (amount > 0) {

burn_(froms[j], i, amount);

}

Vulnerability Details

This test was run using foundry.

=>POC

function testDos() public {

uint256 addressLength1 = 10;

address[] memory addresses1 = new address[]();

for (uint256 i = 0; i < addressLength1; i++) {

addresses1[i] = makeAddr(Strings.toString(i));

token.mint(addresses1[i], 1, 1e18);

}

uint256 gasStart1 = gasleft();

token.burnBatchMultiple(addresses1);

uint256 gasEnd1 = gasleft();

console.log("gas used for 10 people:", gasStart1 - gasEnd1);

uint256 addressLength2 = 100;

address[] memory addresses2 = new address[]();

for (uint256 i = 0; i < addressLength2; i++) {

addresses2[i] = makeAddr(Strings.toString(i));

token.mint(addresses2[i], 1, 1e18);

}

uint256 gasStart2 = gasleft();

token.burnBatchMultiple(addresses2);

uint256 gasEnd2 = gasleft();

console.log("gas used for 100 people:", gasStart2 - gasEnd2);

}

Ran 1 test for test/testMembershipERC1155test.t.sol:TestmembershipERC1155

[PASS] testDos() (gas: 5783083)

Logs:

gas used for 10 people: 131712

gas used for 100 people: 1297280

The gas usage for 100 people is significantly higher than the gas used for burning the tokens of 10 people.

Impact

As the number of addresses in the array increases, the gas consumed by burnBatchMultiple could eventually exceed the block gas limit, making the transaction unprocessable.

If this function is needed for essential protocol operations, such as large-scale token burns in response to a governance vote or financial adjustment, then this vulnerability could disrupt or delay protocol operations.

Tools Used

manual review

Recommendations

Limit Address Count:

Enforce a maximum number of addresses in each burnBatchMultiple call, ensuring that gas usage remains below the block limit.

eg:-

function burnBatchMultiple(address[] memory froms) public onlyRole(OWP_FACTORY_ROLE) {

+ if (froms.length > 50) revert ArrayLengthCantBeGreaterThanFifty(froms.length);

for (uint256 j = 0; j < froms.length; ++j) {

for (uint256 i = 0; i < 7; ++i) {

uint256 amount = balanceOf(froms[j], i);

if (amount > 0) {

burn_(froms[j], i, amount);

}

Iterative Batching:

Instead of burning for all addresses at once, consider a mechanism to process smaller batches iteratively across multiple transactions.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Appeal created

aye__aye Submitter

7 months ago

0xbrivan2 Lead Judge

7 months ago

0xbrivan2 Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.