getUserMemorabiliaDetailed
+ Denial of Service (DoS) ImpactNormally, a view function like getUserMemorabiliaDetailed
is expected to return a user's memorabilia efficiently, regardless of the number of collections or items.
In this implementation, the function uses nested loops to iterate over every memorabilia collection and every item within each collection, performing a balanceOf
check for each. As the number of collections and items grows, the function's gas usage increases quadratically.
Likelihood:
This will occur as soon as the number of memorabilia collections and items grows beyond a trivial amount.
Any active festival with ongoing memorabilia redemptions will eventually hit the block gas limit, making the function unusable.
Impact:
The function will become permanently unusable, causing a Denial of Service for any user or dApp that relies on it.
Off-chain services and users will be unable to retrieve memorabilia data, breaking user experience and integrations.
The following scenario demonstrates the issue: as more memorabilia collections and items are created, the function's gas usage increases until it exceeds the block gas limit.
This type of data aggregation should be handled off-chain. Remove the function and rely on event indexing for memorabilia tracking.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.