imkapadia - Excessive Gas Consumption (Block Gas Limit DoS)

[sherlock-admin4]

imkapadia

Medium

Excessive Gas Consumption (Block Gas Limit DoS)

Summary

The lack of a limit on the number of wallets and token amounts processed in a single transaction can cause excessive gas consumption, making the claim() unusable for other users as the transaction exceeds the block gas limit.

Root Cause

In the claim() , the loop processing projectTokenProxyWallets and tokenAmountsToClaim arrays does not enforce a maximum length. This allows attackers to craft transactions with excessively long arrays that consume too much gas.

https://github.com/sherlock-audit/2024-11-vvv-exchange-update/blob/main/vvv-platform-smart-contracts/contracts/vc/VVVVCTokenDistributor.sol#L130-L136

for (uint256 i = 0; i < _params.projectTokenProxyWallets.length; i++) {
	projectToken.safeTransferFrom(
		_params.projectTokenProxyWallets[i],
		msg.sender,
		_params.tokenAmountsToClaim[i]
	);
}

Internal pre-conditions

No response

External pre-conditions

The Ethereum network has a block gas limit that restricts the amount of computation or storage a block can handle.

Attack Path

1. Bob (the attacker) constructs _params with an excessively large number of projectTokenProxyWallets and tokenAmountsToClaim.
2. Bob Calls claim() submits the malicious transaction.
3. The loop in the claim() function consumes so much gas that the transaction cannot be processed within the block gas limit.
4. Bob's transaction fails but blocks other valid transactions in the same block.
5. Repeated attacks can prevent legitimate users from using the claim() function.

Impact

This can disrupt the protocol by making the claim() function unusable for all users. Repeated attacks can block legitimate transactions, causing frustration and delays.

PoC

No response

Mitigation

Enforce a maximum size for projectTokenProxyWallets and tokenAmountsToClaim in the claim() function.