Description

The getPendingBurnRequests function is used to retrieve all burn requests previously requested by users:

function getPendingBurnRequests()
    external
    view
    returns (BurnRequest[] memory requests)
{
    Storage.Layout storage $ = Storage.layout();
    uint256 length = $.burnRequests.length();

    requests = new BurnRequest[](length);

    for (uint256 i; i < length; ++i) {
        (address account, uint256 amount) = $.burnRequests.at(i);
        requests[i] = BurnRequest({ account: account, amount: amount });
    }
}

An attacker could maliciously request many small burns, increasing the number of requests until the call fails, running out of gas.

Impact

Even if the function is declared as view, depending on its usage, it may create a denial of service, preventing other parts of the system using this function from working properly or even completely blocking some features.

Recommendations

We recommend updating the function to access a single request based on the index of the request. This would prevent denial of service in the case of a large number of requests. It would leave the other parts of the system to implement a proper way of handling the size of the requests together with the getPendingBurnRequestsCount function.

Remediation

This issue has been acknowledged by Prosper.