Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

DoS of distributeRewards()

s0x0mtee

Summary

There's a potential vulnerability in the getTotalWeight function of the GaugeController contract. The function iterates over the _gaugeList array to calculate the total weight of all active gauges. However, there is no limit set on the size of the _gaugeList, which could lead to an Out of Gas (OOG) error if the list becomes excessively large which could then cause a DoS on distributeRewards() that depends on it.

Vulnerability Details

The GaugeController function does not impose any restrictions on the number of gauges that can be added to the _gaugeList. As a result, as the guageList grows, the function may attempt to iterate through a very large array, leading to excessive gas consumption and potentially causing the transaction to fail.

Relevant Code Snippet

/**

* @notice Gets total weight of all active gauges

* @return Total weight across all gauges

function getTotalWeight() public view override returns (uint256) {

uint256 total = 0;

// This could be optimized by maintaining a running total

for (uint256 i = 0; i < _gaugeList.length; i++) {

if (gauges[_gaugeList[i]].isActive) {

total += gauges[_gaugeList[i]].weight;

}

return total;

}

Impact

The lack of a limit on the _gaugeList can lead to a situation where the getTotalWeight function consumes more gas than is available in a single transaction. This could result in failed transactions, which would prevent users from retrieving the total weight of active gauges. In a worst-case scenario, it could lead to denial of service for users trying to interact with the contract.

Tools Used

Manual code review

Recommendations

Limit the Size of _gaugeList: Implement a maximum limit on the number of gauges that can be added to the _gaugeList. This can be done by introducing a cap in the addGauge function.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.