Description

When vestingAddresses attempt to claim, the system iterates through all addresses and sends funds accordingly. However, if the size of the vestingAddresses array becomes too large, a denial-of-service gas error can occur, preventing anyone from being able to claim funds.

Impact

The following code corresponds to the claim function:

for (uint256 i = 0; i < vestingAddresses.length;) {
    address v = vestingAddresses[i];
    if (!IVesting(v).cancelled()) {
        if (IVesting(v).totalClaimedAmount() < IVesting(v).amount()) {
            IVesting(v).claim();
        }
    }
    unchecked {++i;}
}

New vesting addresses can be added using the createVestingStartingFrom and createVestingStartingFromNow methods. However, if the treasury calls these methods excessively, a large number of vesting addresses may accumulate, which can prevent anyone from being able to claim. Unfortunately, there is no way to remove vesting addresses once they have been added.

Recommendations

We recommend exploring one of the following possibilities to address the issue:

1. Modify the claim function to take start and end indices, allowing users to claim their tokens in batches instead of all at once.

2. Implement a way to remove vesting addresses once they have been added to the system. This would prevent the accumulation of a large number of addresses that could lead to denial-of-service errors.

3. Set a maximum cap on the number of vesting addresses that can be added to the system. This would limit the potential for denial-of-service errors by preventing the system from becoming overloaded with too many vesting addresses.

Remediation

STFX acknowledged and resolved the issue in 6503abf8↗