Last updated: February 06, 2026

SCWE-126: Unbounded Withdrawal Queue Growth

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships¶

CWE-400: Uncontrolled Resource Consumption
https://cwe.mitre.org/data/definitions/400.html

Description¶

Protocols that queue withdrawals without bounding length or processing batches can face gas exhaustion when executing large queues. Attackers can spam small requests to DoS withdrawal execution or force users to accept delays.

Remediation¶

Cap queue size or use batched/paged processing with upper gas limits.
Charge fees or require minimum amounts to discourage spam.
Allow users to cancel/claim in smaller chunks rather than processing the entire queue at once.

Examples¶

Vulnerable¶

function processAll() external {
    for (uint256 i = 0; i < queue.length; i++) {
        _pay(queue[i]);
    }
}

Fixed¶

function processBatch(uint256 start, uint256 max) external {
    uint256 end = start + max;
    if (end > queue.length) end = queue.length;
    for (uint256 i = start; i < end; i++) {
        _pay(queue[i]);
    }
}