Summary

The function MembershipERC1155.sol::burnBatchMultiplehas an outer loop and inner loop, and the outer loop [j] iterates over the froms array, which is an array of addresses. Each address in froms likely represents an account whose tokens will be checked and potentially burned while the inner loop {i} represents token IDs, iterating from 0 to 6 (a total of 7 tokens).

• For each address froms[j], the inner loop checks each token ID from 0 to 6 and determines the balance using balanceOf(froms[j], i).

Vulnerability Details

• The outer loop for(uint256 j = 0; j < froms.length; ++j) goes through each address in froms, allowing the function to perform a batch operation on multiple addresses. The extreme length of addresses in the fromsarray can lead to Denial of Service attack due to the expensive gas and exceeding the limit, and then processsing the inner loop which deals with tokenIDs in the addressses.

• Likelihood: Low

Impact

High

This could lead to a scenario where a large number of burn operations are initially processed successfully, but the transaction ultimately reverts due to hitting the gas limit. Since there's no way to reverse already-processed burns, and new burn operations can only proceed once previous ones complete, this could result in a Denial of Service (DoS) that stalls the entire burning process.

Tools Used

Manual Review

Recommendations

it is recommended to consider adding an upper bound restriction for the number of burn requests that could be processed in one epoch.