Skip to content

Latest commit

 

History

History
63 lines (41 loc) · 1.43 KB

020.md

File metadata and controls

63 lines (41 loc) · 1.43 KB

Upbeat Paisley Liger

Medium

Denial of Service (DoS)

Summary

Functions like batchRefund and finalizeWinners iterate over arrays of arbitrary length, which could exceed the gas limit and cause the transaction to fail.

function batchRefund(bytes32 launchGroupId, bytes32[] calldata launchParticipationIds) external onlyRole(OPERATOR_ROLE) nonReentrant whenNotPaused onlyLaunchGroupStatus(launchGroupId, LaunchGroupStatus.COMPLETED) { for (uint256 i = 0; i < launchParticipationIds.length; i++) { ParticipationInfo storage info = launchGroupParticipations[launchParticipationIds[i]]; _processRefund(launchGroupId, launchParticipationIds[i], info); } }

Root Cause

https://github.com/sherlock-audit/2025-02-rova/blob/main/rova-contracts/src/Launch.sol#L502

Internal Pre-conditions

none

External Pre-conditions

none

Attack Path

none

Impact

Denial of Service (DoS) in batchRefund and finalizeWinners .

PoC

No response

Mitigation

Implement pagination or limit the number of items processed in a single transaction.

Example:

function batchRefund(bytes32 launchGroupId, bytes32[] calldata launchParticipationIds, uint256 limit) external onlyRole(OPERATOR_ROLE) { require(limit <= 100, "Limit too high"); for (uint256 i = 0; i < launchParticipationIds.length && i < limit; i++) { // Process refund } }