Skip to content

Unbounded Testimonial Enumeration Enables Gas-Based Denial of Service #28

Description

@aniket866

Where: VouchMe.sol

  • A user receives testimonials over time
  • Each testimonial token ID is appended to _receivedTestimonials[receiver]
  • The array grows continuously with no upper bound
  • A dApp or user calls getReceivedTestimonials(receiver)
  • The function attempts to return the entire array in a single call
  • Solidity tries to copy all stored token IDs into memory
  • As the number of testimonials increases (hundreds or thousands),
  • The gas cost of copying the array grows linearly
  • The call eventually exceeds the block gas limit
  • The function call reverts due to out-of-gas
  • No partial data is returned
  • The failure happens even in read-only calls used by frontends
  • The affected user can no longer retrieve their testimonials on-chain
// Maps user address to their received testimonial token IDs
    mapping(address => uint256[]) private _receivedTestimonials; //

    // ... inside createTestimonial ...
    _receivedTestimonials[msg.sender].push(newTokenId); //

    /**
     * @dev Gets all testimonials received by a specific address
     * @param receiver The address to get testimonials for
     * @return An array of testimonial token IDs
     */
    function getReceivedTestimonials(address receiver) external view returns (uint256[] memory) {
        return _receivedTestimonials[receiver]; //
    }

@KanishkSogani What's your view on this , Feel free to assign

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions