Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Unbounded Array Return in View Functions Leads to Gas Limit DoS

mimis

Title

Unbounded Array Return in View Functions Leads to Gas Limit DoS

Summary

The getListOfStudents() and getListOfTeachers() functions return complete arrays data of all list of student and teacher, potentially causing out-of-gas errors when lists grow large.

Vulnerability Details

Root cause:

function getListOfStudents() external view returns (address[] memory) {
return listOfStudents;
}

Initial State:

  • Contract deployed with empty student/teacher lists

  • Lists grow as users are added

Step 1: Lists grow beyond gas block limits
Step 2: View functions attempt to return full arrays
Step 3: Transactions revert due to out-of-gas errors

Implications:

  • Frontend applications fail to load data

  • Contract becomes partially unusable

  • High gas costs for users

Impact

  • Frontend applications unable to fetch complete lists

  • Potential DoS of critical contract functionality

  • Excessive gas costs for users

  • Reduced contract usability

Tools Used

Manual Review

Recommendations

Implement pagination:

function getListOfStudents(uint256 offset, uint256 limit) external view returns (address[] memory) {
require(limit <= 100, "Max 100 per page");
uint256 size = Math.min(limit, listOfStudents.length - offset);
address[] memory subset = new address[](size);
for(uint256 i = 0; i < size; i++) {
subset[i] = listOfStudents[offset + i];
}
return subset;
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.