# Gas Limit Vulnerability {% hint style="info" %} [**Book an audit with Zokyo**](https://www.zokyo.io/) {% endhint %} Unbounded loops in Solidity smart contracts can create significant vulnerabilities, one of the most notable being the ‘Out of Gas’ vulnerability. This issue arises when a loop runs for an indeterminate or excessively high number of iterations, consuming more gas than a block’s gas limit, and causing transactions to fail. In this tutorial, we will dissect this vulnerability, understand its implications, and explore strategies to mitigate its risks. #### **Understanding the Vulnerability** In Ethereum, every operation, including computations and storage modifications, consumes gas. When a function with an unbounded loop is called, the loop might execute numerous iterations, each consuming gas. If the total gas consumption surpasses the block gas limit, the transaction will fail, potentially locking funds or rendering contract functionalities inoperable. **Examples of Vulnerabilities:** * A function within a contract iterates through an array or list. If this array becomes excessively large, iterating over it could consume gas past the block limit. * An attacker manipulates the contract, intentionally increasing the number of iterations a loop must perform, making certain contract functions unusable. #### **Implications of the ‘Out of Gas’ Vulnerability** * **Denial of Service (DoS):** Functions susceptible to this vulnerability can be rendered unusable, causing service disruptions. * **Locked Funds:** If a function responsible for funds withdrawal is affected, users might be unable to withdraw their assets, resulting in locked funds. * **Manipulation by Attackers:** Malicious actors could exploit this vulnerability to manipulate contract behavior, disrupting normal operations. **Real World Examples:** **\[M-10] Unbounded loop in withdraw() may cause rewards to be locked in the contract** - code4rena The `withdraw()` has an unbounded loop with external calls. If the gas costs of functions change between when deposits are made and when rewards are withdrawn, or if the gas cost of the deposit (`transferFrom()`) is less than the gas cost of the withdrawal (`transfer()`), then the `withdraw()` function may revert due to exceeding the block size gas limit. **\[M-20] massUpdatePools() is susceptible to DoS with block gas limit - unbounded loop** - code4rena `massUpdatePools()` is a public function and it calls the `updatePool()` function for the length of `poolInfo`. Hence, it is an unbounded loop, depending on the length of `poolInfo`. If `poolInfo.length` is big enough, block gas limit may be hit. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zokyo-auditing-tutorials.gitbook.io/zokyo-tutorials/tutorial-21-unbounded-loops/gas-limit-vulnerability.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.