The writeBatchCheckpoints
accepts an arbitrary values
array without imposing a maximum length, allowing an attacker to pass an extremely large array and force the transaction to exceed gas limits and revert.
The writeBatchCheckpoints
function processes each element of values
in a loop without any limit on the array’s size. This design breaks the protocol’s reliability that checkpoints always update successfully.
An attacker can inject a massive values
array into the function, consuming excessive gas and causing the block gas limit to be surpassed. The transaction reverts, blocking the checkpoint update entirely. This sequence effectively denies service to legitimate users who attempt to write normal‐sized batches in the same call path, as any excessively large array kills the entire operation. The vulnerability becomes critical if the function is exposed to untrusted input or user‐level calls.
This flaw allows an attacker to disrupt checkpoint updates, causing all writes in the transaction to revert. It directly impacts the system’s ability to store batched historical values, resulting in a complete DoS for that function call. I've rated the impact as Medium since a malicious user can stall checkpoint operations.
Manual Review
Impose a safe upper bound on the array length before processing.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.