Limited contract storage enables denial-of-service attacks

In the pool contracts, orders are stored in a map. However, in Tact, there is a limit to the number of cells that can be stored in a map. As described by the Tact documentation↗,

As the upper bound of the smart contract state size is around 65000 items of type Cell, it constrains the storage limit of maps to about 30000 key-value pairs for the whole contract.

The more entries you have in a map, the higher compute fees you will incur. Thus, working with large maps makes compute fees difficult to predict and manage.

If a user were to create a large number of orders, the map would fill up, and users would be unable to create additional orders. It would require manual intervention from an executor to cancel orders.

In practice, this attack may be prohibitively expensive — in terms of capital required to start the attack and the cost of the fees not being refunded to the attacker — because execution fees are collected at the time orders are created. Additionally, when an order is canceled, executors have the ability to specify an address to receive the fee refund from the order.

If the TonTradoor team is concerned about users being blocked from creating orders at specific times (e.g., if the attacker is expecting a user to create a large order and attempts to block it from happening), one step to further mitigate the attack is to make the fees for order creation scale with the number of existing orders. In this way, creating a large number of orders would be even more likely to be prohibitively expensive, but creating a single (legitimate) order may be worth the fees.