Platform: Code4rena
Start Date: 25/01/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 173
Period: 5 days
Judge: kirk-baird
Total Solo HM: 1
Id: 208
League: ETH
Rank: 92/173
Findings: 1
Award: $18.70
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: carlitox477
Also found by: 0xRobocop, 0xbepresent, ArmedGoose, Atarpara, IllIllI, Tointer, UdarTeam, adriro, betweenETHlines, cryptojedi88, evan, glcanvas, gzeon, horsefacts, ladboy233, libratus, lukris02, luxartvinsec, manikantanynala97, minhquanym, mookimgo, p4st13r4, simon135, thekmj, trustindistrust
18.6976 USDC - $18.70
The function claim() in Quest.sol calls the RabbitHoleReceipt.sol function getOwnedTokenIdsOfQuest() in order to get an array of the reward tokens associated with the claimant. In total, the function has 3 for loops (2 in getOwnedTokenIdsOfQuest() function and 1 in claim() function). There is a scenario where a malicious or a non-malicious actor could (unintentionally) execute a Gas Griefing attack on this contract, causing unintended consequences and missed rewards for the claimants who have completed the tasks on-chain.
This could happen because of the gas limit on the Ethereum blockchain, where the for loops might stop executing / revert in case the claimant has a lot of claimable tokens (say >200). While this scenario is less likely to happen under normal circumstances, there might be a case where someone sweeps a number of reward tokens from the secondary market, and calls the claim() function to redeem their rewards.
It is recommended to batch the claiming requests and limit the number of tokens that could be claimed in any single call to the contract. This could be maybe 40 or 50 tokens at a time (need to do some testing to come up an optimum number).
#0 - c4-judge
2023-02-06T09:14:06Z
kirk-baird marked the issue as duplicate of #135
#1 - c4-judge
2023-02-14T09:17:39Z
kirk-baird marked the issue as satisfactory