I'm doing a peer review and I have a question, if in the contract users can push as many object to an array mapped to their address how big a concern it is? Because on a low fee chain, I can check where my array start and if there are other data saved in the next reasonable amount of memory slot I could override them continuing pushing new objects
the object is like 5 slot, and I can create a ton of contract to see where their start of the array start and after I get a decent one I can create millions of push, for sure you can't spam crazy and fill the entire memory, but still if you land in a decent spot could be risky
what you think? Could be a security concern or not?
Oct 3, 2023, 7:24 AM
Even if the gas price is acceptable on L2 you could hit the gas block limit If the array is too big to loop
Oct 3, 2023, 8:15 AM
you didn't understand what I mean. I have a contract that have a deposit function, and at each deposit it make userInfo[msg.sender].push(
UserInfo(val1, val2, val3, val4, val5)
);
I can call this function as many time I want.
My concern is that if I create an attacking contract that for example call deposit 100_000 times staying inside block gas limit, I can public a ton of this contract until I get one where the start of the array in the mapping is before a important variable. In that case at each transaction i do with the attacking contract (that do a batch of 100k deposit) I can ovverride the next 500k slot in the storage, so doing some of this batch deposit I could ideally reach a variable like admin and ovverride it with whatever I want. My question is, in a l2 chain like polygon where you can do a ton of transaction, would this be a concern or based on the amount of slots is still not feasable?
UserInfo(val1, val2, val3, val4, val5)
);
I can call this function as many time I want.
My concern is that if I create an attacking contract that for example call deposit 100_000 times staying inside block gas limit, I can public a ton of this contract until I get one where the start of the array in the mapping is before a important variable. In that case at each transaction i do with the attacking contract (that do a batch of 100k deposit) I can ovverride the next 500k slot in the storage, so doing some of this batch deposit I could ideally reach a variable like admin and ovverride it with whatever I want. My question is, in a l2 chain like polygon where you can do a ton of transaction, would this be a concern or based on the amount of slots is still not feasable?
Oct 3, 2023, 8:24 AM
Feels like you don't appreciate how big of a number 2^256 is :)
Oct 3, 2023, 3:54 PM
you right, did some actual calculation, and cosidering polygon throught put in 1 day you can consume 25M slots, and even if you can precompute the addresses of a deployed contract and them compute the possible landing position in the slot, the possibility to find it in 1 day using all bitcoing hash power is 1 in 10^56 XD
Oct 3, 2023, 4:29 PM