Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Users with large NFT collection will get DOSed while withdrawing in LendingPool

ghostbytes

Description

The LendingPool.withdrawNFT(uint) uses for loop over storage array to validate the current nft being withdrawing. The problem arises when a user has a very large collection such that looping over it consumes all the gas in the block. As a result whole transaction will get reverted and user won't be able to ever withdraw any of his NFT.

function withdrawNFT(uint256 tokenId) external nonReentrant whenNotPaused {
...
UserData storage user = userData[msg.sender];
...
// Remove NFT from user's deposited NFTs
for (uint256 i = 0; i < user.nftTokenIds.length; i++) {
if (user.nftTokenIds[i] == tokenId) {
user.nftTokenIds[i] = user.nftTokenIds[user.nftTokenIds.length - 1];
user.nftTokenIds.pop();
break;
}
}
...
}

Recommendations

use a mapping structure along with arrays such that mappings track whether a certain tokenId is owned by user, by doing that lot of gas will be saved and DOS will be prevented

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

LendingPool: Unbounded NFT array iteration in collateral valuation functions creates DoS risk, potentially blocking liquidations and critical operations

LightChaser L-36 and M-02 covers it.

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

LendingPool: Unbounded NFT array iteration in collateral valuation functions creates DoS risk, potentially blocking liquidations and critical operations

LightChaser L-36 and M-02 covers it.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!