Audit: PDM-007 - Limit size of vector in `orml-currencies-allowance-extension` pallet

Question

Audit: PDM-007 - Limit size of vector in `orml-currencies-allowance-extension` pallet

Closed this issue a year ago · 3 comments

As pointed out by the auditors, we should limit the size of the vector that is used in this pallet.
Instead of using a regular Vec which has an unlimited size, we should instead use a frame_support::BoundedVec and define a proper upper limit for that. Otherwise, the extrinsics could be called with excessively large data, potentially leading to long processing times or high resource consumption.

Since the related extrinsics can only be called by the root account, the severity of this issue is rather low.

Answer 1 · 2023-07-04T15:36:49.000Z

Hey team! Please add your planning poker estimate with Zenhub @ashneverdawn @TorstenStueber

Answer 2 · 2023-07-07T04:27:58.000Z

I think the use of Vec as an argument to an extrinsic is fine but obviously the length of the vector needs to go into the weight calculation. Here is an example of one of the core FRAME pallets. Is there a way to do execute the benchmarks to automatically pick up the length?

This way we don't need to think too hard about arbitrarily defined limits.

Answer 3 · 2023-07-07T07:10:44.000Z

Good point @TorstenStueber.

Is there a way to do execute the benchmarks to automatically pick up the length?

You already pointed to a good example. Here is a benchmark that would generate a weight that takes the length into account.