Skip to content

Unbounded Testimonial Enumeration Enables Gas-Based Denial of Service #28

@aniket866

Description

@aniket866

Where: VouchMe.sol

  • A user receives testimonials over time
  • Each testimonial token ID is appended to _receivedTestimonials[receiver]
  • The array grows continuously with no upper bound
  • A dApp or user calls getReceivedTestimonials(receiver)
  • The function attempts to return the entire array in a single call
  • Solidity tries to copy all stored token IDs into memory
  • As the number of testimonials increases (hundreds or thousands),
  • The gas cost of copying the array grows linearly
  • The call eventually exceeds the block gas limit
  • The function call reverts due to out-of-gas
  • No partial data is returned
  • The failure happens even in read-only calls used by frontends
  • The affected user can no longer retrieve their testimonials on-chain
// Maps user address to their received testimonial token IDs
    mapping(address => uint256[]) private _receivedTestimonials; //

    // ... inside createTestimonial ...
    _receivedTestimonials[msg.sender].push(newTokenId); //

    /**
     * @dev Gets all testimonials received by a specific address
     * @param receiver The address to get testimonials for
     * @return An array of testimonial token IDs
     */
    function getReceivedTestimonials(address receiver) external view returns (uint256[] memory) {
        return _receivedTestimonials[receiver]; //
    }

@KanishkSogani What's your view on this , Feel free to assign

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions