Controlled Array Length
Detects unbounded dynamic arrays that can grow without limit, enabling denial-of-service through gas exhaustion on iteration.
Controlled Array Length
Overview
The controlled array length detector identifies storage arrays that can grow without bound and are iterated over in a single transaction. When any user can push elements to an array and a function loops over all elements, the gas cost grows linearly with the array size. Once the array is large enough, the loop exceeds the block gas limit and the function becomes permanently uncallable.
Why This Is an Issue
This is a classic denial-of-service vector. An attacker can repeatedly call a function that appends to the array (e.g., registering as a participant, adding a token to a whitelist) until the array is so large that any function iterating over it reverts. If the iterated function handles withdrawals, rewards, or governance actions, those operations become permanently blocked.
How to Resolve
// Before: Vulnerable — unbounded array with full iteration
address[] public participants;
function register() external {
participants.push(msg.sender); // Grows without limit
}
function distributeRewards() external {
for (uint i = 0; i < participants.length; i++) { // DoS when array is large
_sendReward(participants[i]);
}
}
// After: Fixed — paginated processing with pull pattern
function distributeRewards(uint256 start, uint256 count) external {
uint256 end = start + count;
if (end > participants.length) end = participants.length;
for (uint i = start; i < end; i++) {
_sendReward(participants[i]);
}
}Detection Methodology
- Storage array identification: Locates dynamic arrays in storage by detecting SLOAD/SSTORE patterns on consecutive slots (length at slot N, elements at keccak256(N)+i).
- Growth analysis: Checks for push operations (length increment + element store) that are callable by external users.
- Iteration detection: Identifies loops that read the array length as a loop bound.
- Pagination check: Filters out loops that use start/end parameters or process a bounded subset.
Limitations
False positives: Arrays with admin-only push access (where only the owner can grow the array) are less exploitable but may still be flagged. False negatives: Arrays that are iterated indirectly (via a mapping lookup per element) may not be detected.
Related Detectors
- DoS — detects denial-of-service patterns broadly
- Loop Gas Exhaustion — detects loops that exceed block gas limits