BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Unbounded Array Loop Leading to Permanent Denial-of-Service (DoS)

bigchapo21

Root + Impact

Description

Users deposit assets before they join an event, this asset is stored as 'stakedAssets' and when the user tries to join an event, this staked asset is checked to ensure that the user has deposited before the user's address is stored in the dynamic array 'usersAddress'
The problem here is that the array is unbounded, can grow indefinetly, so an attacker can fill the array with thousands of different addresses, or same address multiple times, so when owner goes to call the 'setWinner' function to set the winning country, the function '_getWinnerShares' is called internally within the function, this function iterates over the 'usersAddress' array, the function will hit the block gas limit and revert, meaning owner can't set a winner

function _getWinnerShares () internal returns (uint256) {

for (uint256 i = 0; i < usersAddress.length; ++i){

address user = usersAddress[i];

totalWinnerShares += userSharesToCountry[user][winnerCountryId];

}

return totalWinnerShares;

}

Risk

Likelihood:

If owner goes to set the winning team after attacker has filled the array past the gas limit threshold of a block

Impact:

Direct DOS leading to stuck funds in the protocol, since owner can't set a winning country, nobody can claim funds

Proof of Concept

Recommended Mitigation

- address[] public usersAddress;

+ (mapping(address => bool) private hasJoined;)

Replace the dynamic usersAddress array with a simple mapping (mapping(address => bool) private hasJoined;) to track participation status.

Updates

Appeal created

bube Lead Judge 19 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Unbounded Loop in _getWinnerShares Causes Denial of Service

The _getWinnerShares() function is intended to iterate through all users and sum their shares for the winning country, returning the total.

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!