Project

One World
NFTDeFi
15,000 USDC
View results
Submission Details
Severity: low
Invalid

Minting Abuse in OWPIdentity

Issue: In the OWPIdentity contract, the mintBatch and burnBatchMultiple functions allow batch operations without any limits on the input arrays. This lack of restriction could lead to DoS attacks by overloading these functions with large input arrays.

Exploit:

mintBatch and burnBatchMultiple in OWPIdentity accept array inputs without size restrictions. An attacker could overload the contract with a large array, causing excessive gas usage and potential DoS.

Location of Code: OWPIdentity.sol

function mintBatch(address to, uint256[] memory ids, uint256[] memory amounts, bytes memory data)
public onlyRole(MINTER_ROLE)
{
_mintBatch(to, ids, amounts, data);
}
function burnBatchMultiple(address[] memory tos, uint256[] memory ids, uint256[] memory amounts)
public onlyRole(MINTER_ROLE)
{
require(tos.length == ids.length, "Invalid input");
require(amounts.length == ids.length, "Invalid input");
for (uint256 i = 0; i < tos.length; i++) {
_burn(tos[i], ids[i], amounts[i]);
}
}

POC:

// Using a large input array to overload mintBatch
function mintBatchAbuse(address to) public onlyRole(MINTER_ROLE) {
uint256; // Massive array to cause DoS
uint256;
mintBatch(to, ids, amounts, "");
}

Exploit Code:

An attacker could pass excessively large arrays to mintBatch:

// Create an oversized array to cause DoS in mintBatch
uint256;
uint256;
owpIdentity.mintBatch(attacker, ids, amounts, "");

Code Change:

Add array size limits in mintBatch and burnBatchMultiple.

uint256 constant MAX_BATCH_SIZE = 100;
// Restrict size in mintBatch
function mintBatch(address to, uint256[] memory ids, uint256[] memory amounts, bytes memory data)
public onlyRole(MINTER_ROLE)
{
require(ids.length <= MAX_BATCH_SIZE, "Batch size too large");
_mintBatch(to, ids, amounts, data);
}
// Restrict size in burnBatchMultiple
function burnBatchMultiple(address[] memory tos, uint256[] memory ids, uint256[] memory amounts)
public onlyRole(MINTER_ROLE)
{
require(tos.length <= MAX_BATCH_SIZE, "Batch size too large");
require(tos.length == ids.length, "Invalid input");
require(amounts.length == ids.length, "Invalid input");
for (uint256 i = 0; i < tos.length; i++) {
_burn(tos[i], ids[i], amounts[i]);
}
}

Impact: Large arrays can cause significant gas costs and potentially halt contract functionality, affecting the performance of the whole contract and making it susceptible to DoS.

Recommendation: Enforce an upper limit on the number of IDs and amounts in mintBatch and burnBatchMultiple to prevent abuse and excessive gas consumption.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.