F-2025-0009·gas-bound
Unbounded array input in batch functions allows potential DoS attacks and gas griefing
TL;DR
Batch view functions accept arbitrarily long token-id arrays without enforcing a maximum length, opening the door to gas-griefing and DoS in callers that forward to them.
Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description
Description
The stakingPoolOfBatch function and other similar batch functions in the GenesisLicense contract accept arrays of arbitrary length without imposing any limits:
solidity
function stakingPoolOfBatch(uint256[] memory tokenIds_) external view returns (address[] memory stakingPools_) {GenesisLicenseStorage storage $ = _getGenesisLicenseStorage();stakingPools_ = new address[](tokenIds_.length); // Initialize array for staking pools// Get staking pool for each token ID in the arrayfor (uint256 i = 0; i < tokenIds_.length; ++i) {stakingPools_[i] = $._stakingPools[tokenIds_[i]]; // Store staking pool address}}
This pattern creates two potential issues:
- DoS Risk: If called with an extremely large array, the function could exceed the block gas limit, making it impossible to execute.
- Gas Griefing: When these functions are called internally by other contract functions, an attacker could pass a large array to consume excessive gas, potentially causing legitimate transactions to fail.
While this is a view function and doesn't directly impact state, similar patterns in non-view functions could be more problematic, and even view functions can be called by other contracts.
03Section · Recommendation
Recommendation
Add reasonable maximum length limits to array parameters:
solidity
function stakingPoolOfBatch(uint256[] memory tokenIds_) external view returns (address[] memory stakingPools_) {require(tokenIds_.length <= 100, "Batch size exceeds limit");// Rest of function unchanged}
