Unbounded Testimonial Enumeration Enables Gas-Based Denial of Service #28
Description
Where: VouchMe.sol
- A user receives testimonials over time
- Each testimonial token ID is appended to _receivedTestimonials[receiver]
- The array grows continuously with no upper bound
- A dApp or user calls getReceivedTestimonials(receiver)
- The function attempts to return the entire array in a single call
- Solidity tries to copy all stored token IDs into memory
- As the number of testimonials increases (hundreds or thousands),
- The gas cost of copying the array grows linearly
- The call eventually exceeds the block gas limit
- The function call reverts due to out-of-gas
- No partial data is returned
- The failure happens even in read-only calls used by frontends
- The affected user can no longer retrieve their testimonials on-chain
// Maps user address to their received testimonial token IDs
mapping(address => uint256[]) private _receivedTestimonials; //
// ... inside createTestimonial ...
_receivedTestimonials[msg.sender].push(newTokenId); //
/**
* @dev Gets all testimonials received by a specific address
* @param receiver The address to get testimonials for
* @return An array of testimonial token IDs
*/
function getReceivedTestimonials(address receiver) external view returns (uint256[] memory) {
return _receivedTestimonials[receiver]; //
}
@KanishkSogani What's your view on this , Feel free to assign