Upgraded Q -> 2 from #670 [1675726386915]

Judge has assessed an item in Issue #670 as 2 risk. The relevant finding follows:

[L-03] DoS if address owns too many receipts
With time it is viable for users to acquire thousands and tens of thousands of receipts. This may happen as a result of buying receipts for example, which was highlighted as a valid use-case. Moreover, receipts aren’t burned when they are used for claiming a reward.

Calculations in getOwnedTokenIdsOfQuest require looping over all of user’s tokens. This may lead to denial of service as EVM isn’t suitable for big loops.

    uint msgSenderBalance = balanceOf(claimingAddress_);
    uint[] memory tokenIdsForQuest = new uint[](msgSenderBalance);
    uint foundTokens = 0;

    for (uint i = 0; i < msgSenderBalance; i++) {
        uint tokenId = tokenOfOwnerByIndex(claimingAddress_, i);
        if (keccak256(bytes(questIdForTokenId[tokenId])) == keccak256(bytes(questId_))) {
            tokenIdsForQuest[i] = tokenId;
            foundTokens++;
        }
    }

Recommendation: consider using ERC1155 for receipts which will allow tracking user receipts for each quest separately.

The text was updated successfully, but these errors were encountered:

All reactions