Summary

The claimFees function in the FeeDistributionBranch contract accepts an unbounded array of asset addresses, potentially leading to excessive gas consumption. This can result in failed transactions and potential denial-of-service (DoS) attacks, where the function becomes unusable for legitimate users.

Vulnerability Details

The claimFees function processes an array of asset addresses:

Processing a large number of assets can consume more gas than is allowed in a single transaction, causing the transaction to fail.

DoS Vulnerability: An attacker could submit a deliberately large array of assets, rendering the function unusable for legitimate users.

Block Gas Limit: If the gas consumed by the loop exceeds the block gas limit, no transaction involving this function will succeed.

Underlying Cause:

The function does not restrict the size of the assets array or optimize the processing of external calls.

Impact

Legitimate users may face failed transactions if the array size exceeds what can be processed within the gas limits.

Denial of Service (DoS):

An attacker could exploit this issue to prevent others from successfully claiming fees by submitting overly large arrays.

Tools Used

slither

Recommendations

Enforce Limits on Input Array Size:

Restrict the maximum number of assets that can be processed in a single transaction.