Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: medium
Invalid

Unbounded Batch Array Enables DoS in writeBatchCheckpoints Function

Summary

The writeBatchCheckpoints accepts an arbitrary values array without imposing a maximum length, allowing an attacker to pass an extremely large array and force the transaction to exceed gas limits and revert.

Vulnerability Details

The writeBatchCheckpoints function processes each element of values in a loop without any limit on the array’s size. This design breaks the protocol’s reliability that checkpoints always update successfully.

An attacker can inject a massive values array into the function, consuming excessive gas and causing the block gas limit to be surpassed. The transaction reverts, blocking the checkpoint update entirely. This sequence effectively denies service to legitimate users who attempt to write normal‐sized batches in the same call path, as any excessively large array kills the entire operation. The vulnerability becomes critical if the function is exposed to untrusted input or user‐level calls.

function writeBatchCheckpoints(
Checkpoint[] storage self,
function(uint256, uint256) view returns (uint256) op,
uint256[] memory values
)
internal
returns (uint32[] memory blockNumbers, uint224[] memory newValues)
{
/*
* @audit: there is no limit on values.length.
* An attacker can supply an excessively large array, forcing each element to be processed in this loop.
* If values is big enough, gas consumption will exceed the block limit and revert, denying service.
*/
uint256 length = values.length;
if (length == 0) return (new uint32[](0), new uint224[](0));
blockNumbers = new uint32[](length);
newValues = new uint224[](length);
for (uint256 i = 0; i < length; i++) {
// For each entry, we call writeCheckpoint, which further increases gas usage
(blockNumbers[i], newValues[i]) = writeCheckpoint(self, op, values[i]);
}
emit BatchCheckpointsWritten(blockNumbers, newValues);
return (blockNumbers, newValues);
}

Impact

This flaw allows an attacker to disrupt checkpoint updates, causing all writes in the transaction to revert. It directly impacts the system’s ability to store batched historical values, resulting in a complete DoS for that function call. I've rated the impact as Medium since a malicious user can stall checkpoint operations.

Tools Used

Manual Review

Recommendations

Impose a safe upper bound on the array length before processing.

uint256 constant MAX_BATCH_SIZE = 100;
function writeBatchCheckpoints(
Checkpoint[] storage self,
function(uint256, uint256) view returns (uint256) op,
uint256[] memory values
) internal returns (uint32[] memory, uint224[] memory) {
require(values.length <= MAX_BATCH_SIZE, "Batch size too large");
// [...]
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Out of scope
inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.