Vyper Vested Claims
First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Unbounded Loop in Merkle Proof Verification inside `_verify_proof` function.

mishraji874

Description: The _verify_proof function iterates through a dynamic array of proof elements without a limit on gas consumption, which could lead to out-of-gas errors for large proofs.

Lines 85-93:

def _verify_proof(proof: DynArray[bytes32, 20], leaf: bytes32) -> bool:
"""
@notice This function is used to verify the merkle proof
@param proof: DynArray[bytes32, 20], the merkle proof
@param leaf: bytes32, the leaf node
@return bool: True if the proof is valid
"""
computed_hash: bytes32 = leaf
for proof_element: bytes32 in proof:
computed_hash = self._hash_pair(computed_hash, proof_element)
return computed_hash == self.merkle_root

Impact: While the DynArray is bounded to 20 elements (which mitigates the issue significantly), complex merkle trees could still require a significant amount of gas for verification. In extreme cases, this could lead to transaction failures due to reaching block gas limits.

Recommended Mitigation: The current implementation is already partially mitigated by limiting the array to 20 elements. Consider adding a check to ensure the proof length is reasonable:

def _verify_proof(proof: DynArray[bytes32, 20], leaf: bytes32) -> bool:
assert len(proof) <= 20, "Proof too long"
computed_hash: bytes32 = leaf
for proof_element: bytes32 in proof:
computed_hash = self._hash_pair(computed_hash, proof_element)
return computed_hash == self.merkle_root
Updates

Appeal created

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.