In an audit report of a DAPP the conclusion is as follows "if the user gets more parallel deposits his withdrawal transaction going to cost more transaction fee because the loop on the dynamic variable is used in the ‘withdraw’ function In case exceeding the GAS limit of the size of the transaction, withdrawal is not possible.." What does this mean?
Asked
Active
Viewed 33 times
1 Answers
1
Basically the DAPP is probably creating a new variable in an array for every user deposit.
When the user is going to withdraw his money, the contract needs to iterate through the whole array to sum up all of the money user has deposited (the bigger the array, the more GAS this is going to cost). When there is an insufficient gas provided to a withdrawal transaction, it will going to fail. When the array becomes "too big", the GAS cost becomes unbearable, so this is also a potential security risk.
To my knowledge you should be using a mapping that maps user address to a uint256 balance and update it every time there's new deposit from the same user. This would prevent the array getting bigger with every subsequent deposit.
contract Wallet {
mapping(address => uint256) public balances;
function deposit(uint256 amountToDeposit) public {
balances[msg.sender] = amountToDeposit;
}
}
Also see this thread for more info about the difference between arrays and mapings: Store data in mapping vs. array
Stanislav Svědiroh
- 440
- 3
- 17