Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Getters copy entire arrays and can exhaust gas

proofofexploit

getListOfStudents() (and similar functions for teachers) returns an in-memory copy of the storage array. Solidity generates code that:

Iterates over the entire array in _storage.
Allocates a new array in _memory of the same length.
Copies each element one by one.

As the number of elements grows, the gas required can exceed the block gas limit and cause the call to revert. Any UI or off-chain integration relying on this getter becomes unable to read the full list, resulting in a read-side Denial-of-Service (DoS) and poor user experience.

Impact:

With hundreds or thousands of students or teachers, the call may revert, breaking dashboards or scripts that depend on the getter.

The on-chain contract still works, but users cannot retrieve the data—leading to reputational damage and loss of transparency.

Proof of Concept:

function test_bigArrayGetterConsumesHugeGas() public {

// matriculamos 2000 alumnos

for (uint256 i; i < 2000; ++i) {

address s = makeAddr(string(abi.encodePacked("s", i)));

usdc.mint(s, schoolFees);

vm.startPrank(s);

usdc.approve(address(levelOneProxy), schoolFees);

levelOneProxy.enroll();

vm.stopPrank();

}

// medimos gas de la llamada estática

uint256 gasBefore = gasleft();

levelOneProxy.getListOfStudents(); // view

uint256 gasUsed = gasBefore - gasleft();

console2.log("Gas usado getter:", gasUsed); // suele >> 8 M

assertTrue(gasUsed > 8_000_000);

}

output

[FAIL: assertion failed] test_bigArrayGetterConsumesHugeGas() (gas: 271855848)

Recommended Mitigation:

Don’t return the entire array; implement pagination.

function students(uint256 _start, uint256 _count)

external

view

returns (address[] memory page)

{

uint256 end = _start + _count;

if (end > listOfStudents.length) end = listOfStudents.length;

page = new address[](end - _start);

for (uint256 i = _start; i < end; i++) {

page[i - _start] = listOfStudents[i];

}

Or emit events and let consumers index the data off-chain.

Document that getters for large arrays are for development only and should not be used in production without limits.

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.