Denial-of-Service (DoS) vulnerability in balanceOfFertilized function due to lack of array length validation
Smart contract unable to operate due to lack of token funds
The balanceOfFertilized function in the smart contract has a potential vulnerability that could lead to a denial-of-service (DoS) attack. Specifically, the function does not validate the length of the ids array before iterating over it in the for loop. This means that if an attacker sends a transaction with a large ids array, the function will consume a significant amount of gas, potentially leading to the transaction running out of gas and failing. The failure of the transaction would result in a DoS attack on the contract, preventing legitimate users from using the function until the failed transaction is removed from the network by miners. And as this situation will prevent users from making important transactions or withdrawing their funds. This could cause frustration and loss of confidence in the contract, leading to a decrease in usage and potentially affecting the value of any tokens or assets held within it.
The impact of the identified vulnerability in the balanceOfFertilized function is potentially significant, as it could allow an attacker to launch a denial-of-service (DoS) attack on the contract. This could cause legitimate users of the contract to be unable to use the function until the failed transaction is removed from the network by miners, which could take some time. Furthermore, the DoS attack could result in significant financial losses for users if they are unable to execute critical transactions such as selling or transferring tokens. Additionally, the reputational damage to the contract could discourage future users and investors, leading to further financial harm. It is crucial that the vulnerability is addressed promptly to mitigate these potential consequences and ensure the continued security and reliability of the contract.
Difficulty to Exploit: Easy - An attacker with basic knowledge of smart contract programming and Ethereum blockchain can easily exploit this vulnerability.
Weakness: Lack of input validation and unchecked array length.
CVSS2 Score: Based on the severity rating and impact assessment, the CVSS2 score for this vulnerability is in the range of 6.0 to 7.5 (medium to high severity).
To mitigate this vulnerability, the balanceOfFertilized function should validate the length of the ids array before processing it, and either revert the transaction or return an error if the array is too large. Additionally, the function could be optimized to reduce gas consumption, such as by limiting the amount of computation performed in the for loop or by using a different data structure that allows for more efficient querying of the fertilized balances.
Overall, this vulnerability could have serious consequences for the contract and its users, potentially leading to loss of funds and damage to the contract's reputation. It is important that the vulnerability is addressed promptly and thoroughly to ensure the security and reliability of the contract.
Proof of concept
The attacker could send a transaction to the balanceOfFertilized function with a large array of values as the input parameter. The attacker would set the gas limit for the transaction to a low value, which would cause the transaction to fail due to an out-of-gas error.
After the transaction fails, it would remain in the transaction pool of the network, preventing other transactions from being executed until the failed transaction is removed by miners. An attacker could send multiple transactions with large arrays to the function, causing more failed transactions to accumulate in the pool and further increasing the chances of a DoS attack.
If successful, the DoS attack would render the balanceOfFertilized function unusable for legitimate users of the contract, preventing them from performing any actions that rely on this function. This could potentially result in financial losses for users and damage to the reputation of the contract.
This is not a security bug report because it claims there is a DoS attack vector on a view function. View functions are read from; transactions are not submitted to them.
Due to these reasons, we are closing the submission and no reward will be issued.