M-1 Denial of Service via MaxTokenAllocationReached

Severity

Impact: Medium

Likelihood: Medium

Description

The function participate() ensures that a launch users has not exceeded their maximum token allocation before allowing new participation. However, the check occurs after signature validation and payment processing logic :

if (settings.maxTokenAllocation < currTotalTokensSold + request.tokenAmount) {
    revert MaxTokenAllocationReached(request.launchGroupId);
}

Impact

Multiple users may pass initial checks and attempt to participate simultaneously, causing transactions to revert due to exceeding the maxTokenAllocation.
Attackers can spam transactions to fill up the token allocation limit, causing genuine users' transactions to fail.

Recommendation

Perform max allocation check before validation
Proceed with validation and payment processing only if allocation allows

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

026.md

026.md

M-1 Denial of Service via MaxTokenAllocationReached

Description

Impact

Recommendation

Files

026.md

Latest commit

History

026.md

File metadata and controls

M-1 Denial of Service via MaxTokenAllocationReached

Description

Impact

Recommendation