Contract fails to deliver promised returns, but doesn't lose value
Description
Bug Description
getTransactionIds vulnerable to run out of gas and DoS even if it's a view function. So whatever clients rely on this view function would not be able todo his job anymore as calling this function would always revert.
Impact
getTransactionIds will always revert once ~1200 transactions (in Remix the gas limit seems to be 3M) have been submitted throught the wallet. The gas limit seems to be 30M thought, I'm not sure why in Remix it revert at 3M, but if it needs to reach 30M, then the cap is around 11400 transactions (see PoC)
Recommendation
The problem is really the first for loop for (i=0; i<transactionCount; i++) which will always iterate over all the txs submitted. Consider refactoring the implementation such that this for loop is not affected by the transactionCount, but only the Ids range received in parameters. I'm happy to code it if this issue is considered valid.
Proof of concept
You will have to clone the immunefi poc repo and follow the steps below. I had to upgrade the MultiSigWallet code to match solc v0.8.19 compiler in order todo this PoC. Nevertheles, I also tested in Remix using the same compiler (v0.4.26, also using the original code) and the it start reverting at around 1200 txs. Once you run the test, you can see the gas used which is above 30M, which confirm the problem.
Add the following code in src folder, which is the MultiSigWallet.sol contract but upgraded to compile with Solc 0.8.19.
Replace test/PoCTest.sol with the following test.
forge test -vv --match-test testAttack
I've also tested it in Remix the following way:
Add the MultiSigWallet to Remix
Add the following code at the end of the Constructor
Deploy with 2 valid owner and 2 required
Call getTransactionIds with 0, 20, true, true
Check the execution gas cost, it will be almost 3M, which is the limit.
Call submitTransaction about 100 times to reach 1200 (valid address, 0 and 0x00)
Call getTransactionIds with 0, 20, true, true
This will revert, running out of gas. While all those transaction are pending, even if you try to call it only looking for executed, it will still blow up or be very close to.
/// @dev Returns list of transaction IDs in defined range.
/// @param from Index start position of transaction array.
/// @param to Index end position of transaction array.
/// @param pending Include pending transactions.
/// @param executed Include executed transactions.
/// @return Returns array of transaction IDs.
function getTransactionIds(uint from, uint to, bool pending, bool executed)
public
constant
returns (uint[] _transactionIds)
{
uint[] memory transactionIdsTemp = new uint[](transactionCount);
uint count = 0;
uint i;
for (i=0; i<transactionCount; i++)
if ( pending && !transactions[i].executed
|| executed && transactions[i].executed)
{
transactionIdsTemp[count] = i;
count += 1;
}
_transactionIds = new uint[](to - from);
for (i=from; i<to; i++)
_transactionIds[i - from] = transactionIdsTemp[i];
}
Running 1 test for test/PoCTest.sol:PoCTest
[PASS] testAttack() (gas: 31621915)
Logs:
>>> Initial conditions: # transaction submitted --> 12000
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 411.76ms
Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)
