Part 2

Summary

The getReceivedMarketFees function iterates over receivedMarketFees without any limits, potentially causing out-of-gas errors. This issue is critical because Zaros emphasizes a seamless trading experience.

Vulnerability Details

• If the number of assets grows too large, the loop could exceed the block gas limit, causing transactions to fail.

• Example Scenario:

  • A user attempts to query market fees for a large number of assets.

  • The transaction fails due to gas exhaustion, disrupting the user experience.

Impact

• Large input sizes could prevent users from querying market fees, harming the platform's usability.

• Zaros aims to offer a top-notch trading experience. Gas-related issues would undermine this goal.

Severity

• **Medium **: While this vulnerability does not directly lead to financial loss, it creates a denial-of-service risk and harms the user experience, which is a key focus for Zaros.

Tools Used

• **Foundry **: Simulated scenarios with large input sizes to identify gas exhaustion issues.

• **Slither **: Detected unbounded loops during static analysis.

• **Echidna **: Fuzzed the function with varying input sizes to test for gas limits.

• **Mithril Security **: Analyzed the impact of unbounded loops on protocol performance.

Recommendations

1. **Add Pagination **:

   • Limit the number of iterations per call and allow users to paginate through results:

     uint256 maxIterations = 100;

     for (uint256 i = 0; i < receivedMarketFees.length && i < maxIterations; i++) {

     // Process fees

     }

2. **Off-Chain Aggregation **:

   • Move large-scale fee aggregation to off-chain systems to reduce on-chain gas usage.