F-2024-0006·missing-validation

A user can register an unlimited number of subscriptions

Fixedaccount-abstractionerc-4337subscriptiongithub.com/bastion-wallet
TL;DR

registerSubscription has no per-user cap, allowing a single subscriber to register unlimited entries and grow the subscribers array until getSubscribers exhausts gas (denial of service).

Severity
LOW
Impact
LOW
Likelihood
MEDIUM
Method
MManual review
CAT.
Complexity
LOW
Exploitability
MEDIUM
02Section · Description

Description

A user can register an infinite number of times since there are no restrictions in place to prevent it. It is therefore possible to register a large number of subscriptions such that registerSubscription() and getSubscribers() functions will run out of gas causing a Denial of Service.

solidity
function registerSubscription(address _subscriber, uint256 _amount,
  uint256 _validUntil, uint256 _paymentInterval, address _erc20Token)
  public {
  require(_amount > 0, "Subscription amount is 0");
  require(_paymentInterval > 0, "Payment interval is 0");
  require(msg.sender == _subscriber, "Only the subscriber can register a subscription");


  ISubExecutor.SubStorage memory sub = ISubExecutor.SubStorage({
    amount: _amount,
    validUntil: _validUntil,
    validAfter: block.timestamp,
    paymentInterval: _paymentInterval,
    subscriber: _subscriber,
    initiator: address(this),
    erc20TokensValid: _erc20Token == address(0) ? false : true,
    erc20Token: _erc20Token
  });
  subscriptionBySubscriber[_subscriber] = sub;
  subscribers.push(_subscriber);
}
03Section · Impact

Impact

Unbounded growth of the subscribers array exhausts gas in iteration, causing a Denial of Service on getSubscribers() and slowing down subscription registration.

04Section · Recommendation

Recommendation

Implement a requirement to ensure that the same user has not registered other subscriptions previously or consider the possibility of adding an upper bound limit on the maximum number of subscriptions.

Sample implementation:

diff
+ mapping(address => bool) private subscriberStatus;


function registerSubscription(address _subscriber, uint256 _amount,
    uint256 _validUntil, uint256 _paymentInterval, address _erc20Token)
    public {
  require(_amount > 0, "Subscription amount is 0");
  require(_paymentInterval > 0, "Payment interval is 0");
  require(msg.sender == _subscriber, "Only the subscriber can register a subscription");
+ require(!subscriberStatus[_subscriber], "Subscriber already registered");
  subscriptionBySubscriber[_subscriber] = sub;
+ subscriberStatus[_subscriber] = true;
}
05Section · Resolution

Resolution

Team Response: Acknowledged and fixed as suggested.

Status
Fixed
Fix commit
79cddfeb6070
ZEALYNX SECURITY · published 2024-03-01
F-2024-0006

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx