Potential Denial of Service Risk in FeeDistributionVault.sol Due to Unbounded Loops
FeeDistributionVault iterates over the beneficiaries array in multiple functions. As the array grows, the for loops could exceed the block gas limit, blocking critical functionality until the set is manually trimmed.
Description
The FeeDistributionVault.sol smart contract uses for loops across multiple functions to iterate over the list of beneficiaries. While this approach is straightforward, it introduces a potential Denial of Service (DoS) vulnerability if the beneficiaries array becomes too large.
In such a case, executing these loops could consume more gas than the block gas limit allows, causing the transaction to revert. As a result, critical contract functionality could become inaccessible until a smaller set of beneficiaries is manually set.
Impact
Beneficiary distribution can become unreachable once the list grows past the gas-budget threshold for any of the iterating functions. The protocol owner has to manually trim the set or redeploy.
Recommendation
There are two options:
- Introduce a function to remove beneficiaries individually, to avoid having to reset the entire set from scratch when adjustments are needed.
- Consider implementing a pull-based pattern, where beneficiaries manually claim their share of tokens, rather than the contract pushing tokens to all beneficiaries in a single call. This would eliminate the risk of gas exhaustion in a single transaction and make the system more scalable.
