Submission Details
Impact:
Likelihood:
Unlimited gas consumption during re-initialization
Root + Impact
Description
The set_secret function is designed to store a user's secret once as a Vault resource. However, the current implementation allows the function to be called indefinitely for a single account, resulting in unnecessary consumption of gas by the user
public entry fun set_secret(caller:&signer,secret:vector<u8>){
let secret_vault = Vault{secret: string::utf8(secret)};
move_to(caller,secret_vault); // @> Vulnerability: Always creates a new resource
event::emit(SetNewSecret {});
}
Risk
Likelihood:
-
The move_to operation has a high gas cost (~1000-5000 units)
-
No protection allows unlimited calls
Impact:
-
Financial losses of users due to useless gas consumption
-
Possibility of depletion of account balance by an attacker
-
Network performance degradation due to spam transactions
Recommended Mitigation
+ const ALREADY_INITIALIZED: u64 = 2;
public entry fun set_secret(caller: &signer, secret: vector<u8>) {
+ let addr = signer::address_of(caller);
+ assert!(!exists<Vault>(addr), ALREADY_INITIALIZED);
+
let secret_vault = Vault { secret: string::utf8(secret) };
move_to(caller, secret_vault);
event::emit(SetNewSecret {});
}
Rewards breakdown
nSLOC
30This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.