Contract fails to deliver promised returns, but doesn't lose value
Description
Bug Description
getTransactionIds vulnerable to run out of gas and DoS even if it's a view function. So whatever clients rely on this view function would not be able todo his job anymore as calling this function would always revert.
Impact
getTransactionIds will always revert once ~1200 transactions (in Remix the gas limit seems to be 3M) have been submitted throught the wallet. The gas limit seems to be 30M thought, I'm not sure why in Remix it revert at 3M, but if it needs to reach 30M, then the cap is around 11400 transactions (see PoC)
Recommendation
The problem is really the first for loop for (i=0; i<transactionCount; i++) which will always iterate over all the txs submitted. Consider refactoring the implementation such that this for loop is not affected by the transactionCount, but only the Ids range received in parameters. I'm happy to code it if this issue is considered valid.
/// @dev Returns list of transaction IDs in defined range.
/// @param from Index start position of transaction array.
/// @param to Index end position of transaction array.
/// @param pending Include pending transactions.
/// @param executed Include executed transactions.
/// @return Returns array of transaction IDs.
function getTransactionIds(uint from, uint to, bool pending, bool executed)
public
constant
returns (uint[] _transactionIds)
{
uint[] memory transactionIdsTemp = new uint[](transactionCount);
uint count = 0;
uint i;
for (i=0; i<transactionCount; i++)
if ( pending && !transactions[i].executed
|| executed && transactions[i].executed)
{
transactionIdsTemp[count] = i;
count += 1;
}
_transactionIds = new uint[](to - from);
for (i=from; i<to; i++)
_transactionIds[i - from] = transactionIdsTemp[i];
}
Proof of concept
You will have to clone the immunefi poc repo and follow the steps below. I had to upgrade the MultiSigWallet code to match solc v0.8.19 compiler in order todo this PoC. Nevertheles, I also tested in Remix using the same compiler (v0.4.26, also using the original code) and the it start reverting at around 1200 txs. Once you run the test, you can see the gas used which is above 30M, which confirm the problem.
/** *Submitted for verification at Etherscan.io on 2021-03-04*//** *Submitted for verification at Etherscan.io on 2018-05-10*/pragmasolidity ^0.8.13;/// @title Multisignature wallet - Allows multiple parties to agree on transactions before execution./// @author Stefan George - <stefan.george@consensys.net>contract MultiSigWallet {uintconstantpublic MAX_OWNER_COUNT =50;eventConfirmation(addressindexed sender, uintindexed transactionId);eventRevocation(addressindexed sender, uintindexed transactionId);eventSubmission(uintindexed transactionId);eventExecution(uintindexed transactionId);eventExecutionFailure(uintindexed transactionId);eventDeposit(addressindexed sender, uint value);eventOwnerAddition(addressindexed owner);eventOwnerRemoval(addressindexed owner);eventRequirementChange(uint required);mapping (uint