Unbounded Gas Consumption in `updatePeriod()` Can Cause Transaction Failure
The updatePeriod() function is responsible for updating the reward period and recalculating the average weight of votes. However, it relies on the function:
The function calculateAverage() iterates over past voting periods to compute a time-weighted average. If too many historical periods are stored, this iteration can grow unbounded, leading to high gas consumption and making updatePeriod() fail due to exceeding the block gas limit.
Example exploit scenario:
The contract has been running for a long time, accumulating many past voting periods.
When
updatePeriod()is called,calculateAverage()iterates over all past periods.If there are too many stored periods, the gas cost becomes prohibitively high, causing the transaction to revert due to out-of-gas errors.
Since
updatePeriod()is necessary for distributing rewards, this halts reward updates permanently.
Impact:
The contract can become permanently stuck, preventing new reward periods from starting and halting reward distribution.
Mitigation:
Limit the number of past voting periods stored by implementing an expiration mechanism that deletes older periods after a set number of cycles.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.