This repository has been archived by the owner on May 26, 2023. It is now read-only.
kiki_dev - Unbound loop in getLockedFunds() can cause DOS preventing refunds. #299
Comments
github-actions
bot
added
Duplicate
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
kiki_dev
medium
Unbound loop in getLockedFunds() can cause DOS preventing refunds.
Summary
getLockedfundsitterates through all deposits to determine which funds are locked. Anyone could make enough deposits that would cause thegetLockedFunds()to run out of gas. If this were to happen it would be impossible for anyone to use therefund()function. Locking all depositors funds.Vulnerability Detail
When a user makes a deposit the deposits Id's get stored in an array called
deposits. This array is used in thegetLockedFunds()method fromBountyCore.solwhich is called whenver a user callsrefund().getLockedfundswill loop through every deposit checking if the deposit is eligible to be refunded. There is no limit to how big this loop can be and no way of reducing the size ofdeposits[]. This means that eventually the loop will get too big and run out of gas.Here is a scenario:
Alice creates a bounty for 1000 Matic.
Bob wants to lock Alices funds in the contract so he submits many deposits worth only a dust amount.
Alice After a month of this bounty being posted with no success attmeps to get a refund for her bounty.
Alice's refund fails due to an out of gas limit.
Alice no longer has access to her funds and has lost 1000 Matic.
Impact
Loss of funds. Anyone who makes a deppoist to a bounty is vunerable to getting all of thier funds locked.
Code Snippet
Code Snippet
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L341
Tool used
Manual Review
Recommendation
Dont itterate through a unbound loop to detemrine which funds are eligible to be refunded.
Duplicate of #77
The text was updated successfully, but these errors were encountered: