Plain Mustard Goose
Medium
The cancel function in the PredictDotLoan contract processes an array of SaltCancellationRequest structs. If the array size is excessively large, it could lead to high gas consumption, potentially exceeding the block gas limit and causing a Denial of Service (DoS) condition.
The cancel function iterates over an array of SaltCancellationRequest structs to update the saltCancellations mapping for each request. Each iteration and update operation consumes gas. If the array is too large, the total gas required for the transaction could exceed the block gas limit. When the gas limit is exceeded, the transaction fails, and any state changes are reverted. This can prevent legitimate requests from being processed.
-
Legitimate users may be unable to process their cancellation requests if the contract is targeted with large input arrays, effectively blocking or delaying operations.
-
Even if not fully blocking, such attacks can increase gas prices on the network, making it more expensive for users to interact with the contract.
-
The attacker identifies the cancel function as a target, which processes an array of SaltCancellationRequest structs.
-
The attacker crafts a transaction with a very large array of SaltCancellationRequest structs. The goal is to make the array as large as possible while still being accepted by the network.
-
The attacker submits the transaction to the Ethereum network. The transaction includes the large array intended to consume a significant amount of gas.
-
As the contract processes each element in the array, the gas consumption increases. If the total gas required exceeds the block gas limit, the transaction will fail. When the gas limit is exceeded, the transaction fails, and any state changes are reverted. This means the transaction does not succeed, but the attacker may achieve their goal of causing disruption
-
Users may find it difficult to process their transactions if the network is congested with high-gas transactions. This could delay or prevent important operations from being executed.
Manual Review
Introduce a maxRequests variable to limit the number of requests that can be processed. This helps prevent excessive gas consumption and potential DoS attacks.
``
function cancel(SaltCancellationRequest[] calldata requests) external { if (requests.length == 0) { revert NoSaltCancellationRequests(); }
// Set a maximum limit for the number of requests that can be processed in a single transaction
uint256 maxRequests = 100; // Example limit, adjust based on gas cost analysis
if (requests.length > maxRequests) {
revert TooManyRequests();
}
for (uint256 i; i < requests.length; ++i) {
SaltCancellationRequest calldata request = requests[i];
uint256 salt = request.salt;
SaltCancellationStatus storage status = saltCancellations[msg.sender][salt];
if (!request.lending && !request.borrowing) {
revert NotCancelling();
}
if (request.lending) {
if (status.lending) {
revert SaltAlreadyCancelled(salt);
}
status.lending = true;
}
if (request.borrowing) {
if (status.borrowing) {
revert SaltAlreadyCancelled(salt);
}
status.borrowing = true;
}
}
emit SaltsCancelled(msg.sender, requests);
}
``