Santa's List

AI First Flight #3

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

M-4: SantasList contract exceeds 24.576 kB max deployable size at 56.43 kB

0xjjjjjj

Summary

SantasList contract is 56.43 kB, exceeding the EVM max deployable contract size of 24.576 kB. Deployment will fail.

Vulnerability Details

The TOKEN_URI constant contains a 51,373-character base64-encoded SVG stored directly in bytecode. forge build --sizes shows SantasList at 56.43 kB with margin -31.854 kB.

Impact

MEDIUM — Contract cannot be deployed on any EVM chain due to exceeding the Spurious Dragon size limit.

Proof of Concept

forge build --sizes

# SantasList | 56.43 kB | -31.854 kB margin

Recommended Fix

Move TOKEN_URI to IPFS and store only the IPFS hash on-chain, or split into a separate storage contract.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 3 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-05] Oversized contract will make deployment fail

## Description Oversized contract will make deployment fail ## Vulnerability Details `SantasList.sol:SantasList` contract is oversized (56.43 kB). This is due to the fact that the constant variable `TOKEN_URI` is stored in the bytecode, which is `51373` characters in length. Oversized contract can't be deployed. ### PoC ``` forge build --sizes [⠒] Compiling... [⠊] Compiling 2 files with 0.8.22 [⠒] Solc 0.8.22 finished in 1.85s Compiler run successful! | Contract | Size (kB) | Margin (kB) | |----------------|-----------|-------------| | Math | 0.086 | 24.49 | | MockERC20 | 3.69 | 20.886 | | MockERC721 | 3.827 | 20.749 | | SantaToken | 3.324 | 21.252 | | SantasList | 56.43 | -31.854 | | SignedMath | 0.086 | 24.49 | | StdStyle | 0.086 | 24.49 | | Strings | 0.086 | 24.49 | | TokenUri | 51.615 | -27.039 | | console | 0.086 | 24.49 | | console2 | 0.086 | 24.49 | | safeconsole | 0.086 | 24.49 | | stdError | 0.592 | 23.984 | | stdJson | 0.086 | 24.49 | | stdMath | 0.086 | 24.49 | | stdStorage | 0.086 | 24.49 | | stdStorageSafe | 0.086 | 24.49 | ``` ## Impact MEDIUM. Contract can't be deployed due to the `TOKEN_URI` size. ## Recommendations `TOKEN_URI` should be modified to prevent the oversized contract. Ideally, this can be an `ipfs` url, which will be shorter.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!