Denial of service on pending requests
Description
The getPendingBurnRequests
function is used to retrieve all burn requests previously requested by users:
function getPendingBurnRequests()
external
view
returns (BurnRequest[] memory requests)
{
Storage.Layout storage $ = Storage.layout();
uint256 length = $.burnRequests.length();
requests = new BurnRequest[](length);
for (uint256 i; i < length; ++i) {
(address account, uint256 amount) = $.burnRequests.at(i);
requests[i] = BurnRequest({ account: account, amount: amount });
}
}
An attacker could maliciously request many small burns, increasing the number of requests until the call fails, running out of gas.
Impact
Even if the function is declared as view
, depending on its usage, it may create a denial of service, preventing other parts of the system using this function from working properly or even completely blocking some features.
Recommendations
We recommend updating the function to access a single request based on the index of the request. This would prevent denial of service in the case of a large number of requests. It would leave the other parts of the system to implement a proper way of handling the size of the requests together with the getPendingBurnRequestsCount
function.
Remediation
This issue has been acknowledged by Prosper.