Fix: Add pagination to getReceivedTestimonials to prevent DoS from un…

[Rav1Chauhan]

…bounded array return

Addressed Issues:

Fixes #28
Fix: Prevent DoS via Unbounded Array Return in getReceivedTestimonials
Problem

The previous implementation of:

function getReceivedTestimonials(address receiver)

returned the entire _receivedTestimonials[receiver] dynamic array.

As testimonials accumulate over time, the array grows without bound.
Solidity must copy the entire array from storage to memory when returning it.

This causes:

Gas usage growing linearly with array size

Potential exceeding of block gas limit

Function reverting due to out-of-gas

Inability for users/dApps to retrieve testimonials

Possible Denial of Service (DoS) scenario

Solution

Replaced the unbounded return with pagination:

Added:

getReceivedTestimonialsCount(address receiver)

getReceivedTestimonials(address receiver, uint256 start, uint256 limit)

This ensures:

Bounded gas usage

Safe and scalable retrieval

No change to storage logic

Backward compatibility with existing data

Impact

Prevents potential DoS

Improves scalability

Aligns with Solidity best practices

Screenshots/Recordings:

This change introduces pagination to prevent potential Denial of Service (DoS) caused by returning an unbounded dynamic array.

The previous implementation returned the entire _receivedTestimonials array for a user, which could grow indefinitely over time. As Solidity copies storage arrays to memory when returning them, gas costs grow linearly with array size. Eventually, this could cause the function to revert due to exceeding the block gas limit.

The updated implementation adds:

• getReceivedTestimonialsCount(address)
• getReceivedTestimonials(address, uint256 start, uint256 limit)

This ensures scalable and gas-bounded retrieval while preserving existing storage logic..

Additional Notes:

Checklist

• [ x] My PR addresses a single issue, fixes a single bug or makes a single improvement.
• [ x] My code follows the project's code style and conventions.
• If applicable, I have made corresponding changes or additions to the documentation.
• If applicable, I have made corresponding changes or additions to tests.
• [ x] My changes generate no new warnings or errors.
• [ x] I have joined the Stability Nexus's Discord server and I will share a link to this PR with the project maintainers there.
• [ x] I have read the Contribution Guidelines.
• [x ] Once I submit my PR, CodeRabbit AI will automatically review it and I will address CodeRabbit's comments.

AI Usage Disclosure

Check one of the checkboxes below:

• This PR does not contain AI-generated code at all.
• This PR contains AI-generated code. I have tested the code locally and I am responsible for it.

I have used the following AI models and tools: TODO

⚠️ AI Notice - Important!

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.

Summary by CodeRabbit

• New Features

  • Added public getters to retrieve received testimonial counts and paginated testimonial lists for easier querying and display.

• Chores

  • Code formatting and signature-layout cleanup across contracts and tests (no behavioral changes).
  • Added a project environment variable to support configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added two public accessors for received testimonials: a count getter and a paginated retrieval function. Most other edits are formatting/multiline refactors and minor tokenURI concatenation reformatting; core token behavior and testimonial logic remain unchanged.

Changes

Cohort / File(s)	Summary
VouchMe contract contracts/src/VouchMe.sol	Added getReceivedTestimonialsCount(address) and paginated getReceivedTestimonials(address,uint256 start,uint256 limit) to avoid returning the full array. Reworked tokenURI string composition layout and applied multiline/formatting changes across many internal/public functions; functional behavior preserved aside from the new getters.
Tests contracts/test/VouchMe.t.sol	Updated test calls to use the new paginated getter (compute count then call getReceivedTestimonials(..., 0, count)) and reformatted long expressions; test logic unchanged.
Env .env	Added NEXT_PUBLIC_PROJECT_ID=38b236298d3253f98d42e08991ad74d3.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Client as Client
participant Contract as VouchMe.sol
participant Storage as Blockchain Storage
Client->>Contract: getReceivedTestimonialsCount(receiver)
Contract->>Storage: read _receivedTestimonials[receiver].length
Storage-->>Contract: count
Contract-->>Client: count
Client->>Contract: getReceivedTestimonials(receiver, start, limit)
Contract->>Storage: read slice of _receivedTestimonials[receiver] (start..start+limit)
Storage-->>Contract: tokenId[] slice
Contract-->>Client: tokenId[] slice

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Add Comprehensive Foundry Test Suite for VouchMe Smart Contract #14: Overlaps in VouchMe.sol changes around testimonial mapping and _removeTestimonialFromList.
• fix indentation and UI/UX update #18: Related edits to generateTokenURI / token metadata composition.

Suggested reviewers

• ceilican
• Zahnentferner

Poem

🐰 I hop through code with whiskers bright,

Counting praises in the moonlit night,
I fetch small slices, nibble each part,
No giant piles to break the heart,
Hooray — neat tokens, one small hop of art! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The .env file change (adding NEXT_PUBLIC_PROJECT_ID) is out of scope and unrelated to the DoS fix objective specified in issue #28.	Remove the NEXT_PUBLIC_PROJECT_ID environment variable addition unless it is directly required by the pagination implementation.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding pagination to getReceivedTestimonials to prevent DoS from unbounded array returns.
Linked Issues check	✅ Passed	The PR successfully implements the pagination mechanism required by issue #28: added getReceivedTestimonialsCount() and paginated getReceivedTestimonials(receiver, start, limit) to bound gas usage.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

contracts/src/VouchMe.sol (3)

156-160: getReceivedTestimonialsCount is a duplicate of the existing getTestimonialCount.

Both functions are external view and return _receivedTestimonials[receiver].length — they are semantically identical. This inflates the ABI surface and creates confusion for integrators about which function to use.

If the intent is to align naming with the new paginated getter, deprecate getTestimonialCount (or remove it if there are no existing off-chain consumers) rather than keeping both.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/src/VouchMe.sol` around lines 156 - 160, The two functions
getReceivedTestimonialsCount and getTestimonialCount both return
_receivedTestimonials[receiver].length and are duplicates; remove one to avoid
ABI/API confusion or mark the older one deprecated. Choose which name to keep
(suggest keeping the paginated-friendly getReceivedTestimonialsCount), delete
the other function declaration (or add a deprecation comment and an event if you
must preserve ABI compatibility), and update any internal references/tests to
call the retained function name.

---

161-165: Add NatSpec to the new paginated getter and document limit semantics.

Both new functions (getReceivedTestimonialsCount and getReceivedTestimonials) are missing NatSpec @dev/@param/@return comments, unlike the rest of the contract's public API. At minimum, document:

• that start is zero-based,
• that the returned slice may be shorter than limit when near the end of the array,
• that a caller passing limit = 0 receives an empty array.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/src/VouchMe.sol` around lines 161 - 165, Add NatSpec comments to
both getReceivedTestimonialsCount and getReceivedTestimonials: include an `@dev`
describing that these are paginated getters, document `@param` start as zero-based
index, `@param` limit as maximum number of items to return and that passing limit
= 0 yields an empty array, and document `@return` that the returned array is a
slice which may be shorter than limit when near the end of the stored
testimonials; ensure the comments use `@param` for receiver, start, limit and
`@return` for the uint256[] result and match the style of the contract's existing
public API.

---

375-388: deleteTestimonial does not call _burn, leaving the NFT live on-chain.

After _removeTestimonialFromList runs, the internal accounting (mappings, arrays) is cleaned up, but ownerOf(tokenId) still resolves to the receiver and tokenURI(tokenId) remains accessible. This is a pre-existing gap not introduced by this PR, but worth tracking: any downstream pagination client querying a token ID returned before deletion will still see a valid NFT despite the testimonial being "deleted" from the contract's perspective.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/src/VouchMe.sol` around lines 375 - 388, deleteTestimonial
currently clears internal testimonial mappings via _removeTestimonialFromList
but does not destroy the ERC721 token, so ownerOf(tokenId) and tokenURI(tokenId)
remain valid; after the require checks and after calling
_removeTestimonialFromList in deleteTestimonial, invoke the ERC721 burn routine
(call _burn(tokenId)) to remove the NFT from circulation and ensure
ownerOf/tokenURI no longer resolve, keeping the existing require on
_ownerOf(tokenId) and existing emit TestimonialDeleted(tokenId, msg.sender).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@contracts/src/VouchMe.sol`:
- Line 169: Replace the invalid dynamic array allocation "return new uint256;"
with a proper memory array allocation like "return new uint256[](0)" in the
function that currently returns an empty uint256[]; also remove the duplicated
function getReceivedTestimonialsCount() (or getTestimonialCount()) so only one
function returns _receivedTestimonials[receiver].length to avoid redundancy —
locate and update the functions named getReceivedTestimonialsCount and
getTestimonialCount and the return statement referencing new uint256 to apply
these changes.

---

Nitpick comments:
In `@contracts/src/VouchMe.sol`:
- Around line 156-160: The two functions getReceivedTestimonialsCount and
getTestimonialCount both return _receivedTestimonials[receiver].length and are
duplicates; remove one to avoid ABI/API confusion or mark the older one
deprecated. Choose which name to keep (suggest keeping the paginated-friendly
getReceivedTestimonialsCount), delete the other function declaration (or add a
deprecation comment and an event if you must preserve ABI compatibility), and
update any internal references/tests to call the retained function name.
- Around line 161-165: Add NatSpec comments to both getReceivedTestimonialsCount
and getReceivedTestimonials: include an `@dev` describing that these are paginated
getters, document `@param` start as zero-based index, `@param` limit as maximum
number of items to return and that passing limit = 0 yields an empty array, and
document `@return` that the returned array is a slice which may be shorter than
limit when near the end of the stored testimonials; ensure the comments use
`@param` for receiver, start, limit and `@return` for the uint256[] result and match
the style of the contract's existing public API.
- Around line 375-388: deleteTestimonial currently clears internal testimonial
mappings via _removeTestimonialFromList but does not destroy the ERC721 token,
so ownerOf(tokenId) and tokenURI(tokenId) remain valid; after the require checks
and after calling _removeTestimonialFromList in deleteTestimonial, invoke the
ERC721 burn routine (call _burn(tokenId)) to remove the NFT from circulation and
ensure ownerOf/tokenURI no longer resolve, keeping the existing require on
_ownerOf(tokenId) and existing emit TestimonialDeleted(tokenId, msg.sender).

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 56c2737 and 3534d9f.

📒 Files selected for processing (1)

• contracts/src/VouchMe.sol

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

contracts/src/VouchMe.sol (1)

156-160: 🛠️ Refactor suggestion | 🟠 Major

Duplicate function: getReceivedTestimonialsCount duplicates getTestimonialCount.

Both functions return _receivedTestimonials[receiver].length. Remove one to avoid confusion and reduce contract bytecode size. Consider keeping getTestimonialCount (lines 213-217) since it already exists and deprecating this new one, or vice versa with a clear naming convention for the pagination API.

♻️ Suggested fix: Remove the duplicate function

-    function getReceivedTestimonialsCount(
-        address receiver
-    ) external view returns (uint256) {
-        return _receivedTestimonials[receiver].length;
-    }

Then use getTestimonialCount(receiver) consistently for pagination, or rename getTestimonialCount to getReceivedTestimonialsCount and remove the old one if you prefer the new naming.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/src/VouchMe.sol` around lines 156 - 160, Remove the duplicate
getter to avoid confusion and reduce bytecode: delete the
getReceivedTestimonialsCount function and use the existing getTestimonialCount
function (which returns _receivedTestimonials[receiver].length) consistently
across the contract and pagination API, or alternatively keep
getReceivedTestimonialsCount and remove/rename getTestimonialCount—ensure only
one of the two remains and update any external references to the retained
function name.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@contracts/src/VouchMe.sol`:
- Around line 161-185: getReceivedTestimonials was changed to a paginated
signature (address receiver, uint256 start, uint256 limit) which breaks existing
callers and the ABI; update all test calls that still pass a single address to
call getReceivedTestimonials(receiver, 0, <suitable_limit>) (e.g., use total
length or a safe max like 100) and regenerate the contract ABI so
web/src/abis/VouchMe.json matches the new function signature; search for
references to getReceivedTestimonials in tests (e.g., VouchMe.t.sol and
VouchMeFuzz.t.sol) and replace the single-arg calls accordingly, then recompile
and refresh the ABI artifact.

---

Duplicate comments:
In `@contracts/src/VouchMe.sol`:
- Around line 156-160: Remove the duplicate getter to avoid confusion and reduce
bytecode: delete the getReceivedTestimonialsCount function and use the existing
getTestimonialCount function (which returns
_receivedTestimonials[receiver].length) consistently across the contract and
pagination API, or alternatively keep getReceivedTestimonialsCount and
remove/rename getTestimonialCount—ensure only one of the two remains and update
any external references to the retained function name.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 258b753b-cf6e-4a92-883c-c94edbd8d8dc

📥 Commits

Reviewing files that changed from the base of the PR and between 3534d9f and dfc51ab.

📒 Files selected for processing (1)

• contracts/src/VouchMe.sol

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the VouchMe.sol contract to see all signatures of getReceivedTestimonials
rg -n "function getReceivedTestimonials" contracts/src/VouchMe.sol -A 10

Repository: StabilityNexus/VouchMe

Length of output: 599

---

🏁 Script executed:

# Check for the old single-argument signature anywhere in the contract
rg -n "getReceivedTestimonials\s*\(" contracts/src/VouchMe.sol -B 2 -A 8

Repository: StabilityNexus/VouchMe

Length of output: 460

---

🏁 Script executed:

# Check test file at line 290
sed -n '285,295p' contracts/test/VouchMe.t.sol

Repository: StabilityNexus/VouchMe

Length of output: 513

---

🏁 Script executed:

# Check VouchMeFuzz test file at lines 94 and 177
sed -n '90,98p' contracts/test/VouchMeFuzz.t.sol
sed -n '173,181p' contracts/test/VouchMeFuzz.t.sol

Repository: StabilityNexus/VouchMe

Length of output: 765

---

🏁 Script executed:

# Check for the getTestimonialCount function mentioned in the suggested fix
rg -n "function getTestimonialCount" contracts/src/VouchMe.sol -A 5

Repository: StabilityNexus/VouchMe

Length of output: 250

---

🏁 Script executed:

# Check ABI file for the function signature
rg -n "getReceivedTestimonials" web/src/abis/VouchMe.json -B 2 -A 10

Repository: StabilityNexus/VouchMe

Length of output: 28963

---

Pagination implementation is correct, but this is a breaking change that will cause test compilation failures.

The pagination logic properly bounds gas usage and addresses the DoS concern. However, the new signature requires three parameters (receiver, start, limit), breaking existing callers that pass only the receiver address:

• contracts/test/VouchMe.t.sol:290 calls getReceivedTestimonials(alice)
• contracts/test/VouchMeFuzz.t.sol:94 and :177 call getReceivedTestimonials(receiver)
• web/src/abis/VouchMe.json has stale ABI entries for the old single-argument signature

🔧 Suggested test file updates

For tests, update calls to use the new paginated signature. Example for VouchMe.t.sol:290:

-uint256[] memory remainingTestimonials = vouchMe.getReceivedTestimonials(alice);
+uint256 count = vouchMe.getTestimonialCount(alice);
+uint256[] memory remainingTestimonials = vouchMe.getReceivedTestimonials(alice, 0, count);

Also regenerate the ABI file after contract changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/src/VouchMe.sol` around lines 161 - 185, getReceivedTestimonials
was changed to a paginated signature (address receiver, uint256 start, uint256
limit) which breaks existing callers and the ABI; update all test calls that
still pass a single address to call getReceivedTestimonials(receiver, 0,
<suitable_limit>) (e.g., use total length or a safe max like 100) and regenerate
the contract ABI so web/src/abis/VouchMe.json matches the new function
signature; search for references to getReceivedTestimonials in tests (e.g.,
VouchMe.t.sol and VouchMeFuzz.t.sol) and replace the single-arg calls
accordingly, then recompile and refresh the ABI artifact.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

contracts/test/VouchMe.t.sol (1)

473-480: Consider testing with getTestimonialCount for consistency.

The test passes limit=0 directly. While this works (since start >= total returns empty), it doesn't explicitly verify the "no testimonials exist" scenario the same way other tests do.

For consistency with other tests and clearer intent, consider:

 function testGetReceivedTestimonialsEmpty() public {
+    uint256 count = vouchMe.getTestimonialCount(alice);
+    assertEq(count, 0); // Explicitly verify no testimonials exist
     uint256[] memory testimonials = vouchMe.getReceivedTestimonials(
         alice,
         0,
-        0
+        count
     );
     assertEq(testimonials.length, 0);
 }

This is a minor style suggestion—the current test is functionally correct.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/test/VouchMe.t.sol` around lines 473 - 480, Replace the hardcoded
zero in testGetReceivedTestimonialsEmpty with an explicit count fetched from the
contract: call vouchMe.getTestimonialCount(alice) into a uint256 total and then
call vouchMe.getReceivedTestimonials(alice, total, 0) (or start = total, limit =
0) and assert length == 0; this uses getTestimonialCount to clearly express "no
testimonials exist" like other tests and keeps the assertion behavior the same.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.env:
- Line 1: The repository contains a committed `.env` exposing
NEXT_PUBLIC_PROJECT_ID; remove this credential from the repo and history and
prevent future leaks: add a `.gitignore` entry for `.env`, create a
`.env.example` with a placeholder NEXT_PUBLIC_PROJECT_ID to document required
variables, rotate the exposed WalletConnect Project ID in the WalletConnect
Cloud dashboard, delete the committed `.env` from the repository and purge it
from git history using a history-rewriting tool (e.g., BFG or git
filter-branch), and ensure the new actual `.env` is not tracked going forward.

---

Nitpick comments:
In `@contracts/test/VouchMe.t.sol`:
- Around line 473-480: Replace the hardcoded zero in
testGetReceivedTestimonialsEmpty with an explicit count fetched from the
contract: call vouchMe.getTestimonialCount(alice) into a uint256 total and then
call vouchMe.getReceivedTestimonials(alice, total, 0) (or start = total, limit =
0) and assert length == 0; this uses getTestimonialCount to clearly express "no
testimonials exist" like other tests and keeps the assertion behavior the same.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bd7ceb6d-2e54-407e-a450-cc8760cbbfef

📥 Commits

Reviewing files that changed from the base of the PR and between dfc51ab and 12d6264.

📒 Files selected for processing (2)

• .env
• contracts/test/VouchMe.t.sol

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if .env is in .gitignore
echo "Checking .gitignore for .env patterns:"
if [ -f .gitignore ]; then
    grep -n "\.env" .gitignore || echo "No .env pattern found in .gitignore"
else
    echo ".gitignore file not found"
fi

# Check for .env.example
echo -e "\nChecking for .env.example:"
fd -t f ".env.example" --max-depth 2

# Check if there are other .env files committed
echo -e "\nOther .env files in repository:"
fd -t f "^\.env" --hidden

Repository: StabilityNexus/VouchMe

Length of output: 196

---

Do not commit .env files with credentials to version control.

The .env file with your WalletConnect Project ID is committed to the repository. Even though NEXT_PUBLIC_ credentials are publicly visible at runtime, committing them creates security risks:

• The Project ID can be abused for quota exhaustion or project impersonation
• Git history permanently associates this credential with your project
• No .gitignore currently prevents accidental commits of sensitive files

Required actions:

1. Create .gitignore and add .env to it
2. Create .env.example with a placeholder value for documentation
3. Rotate the exposed Project ID in WalletConnect Cloud
4. Remove this file from git history using git filter-branch or BFG Repo-Cleaner

🧰 Tools

🪛 dotenv-linter (4.0.0)

[warning] 1-1: [EndingBlankLine] No blank line at the end of the file

(EndingBlankLine)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env at line 1, The repository contains a committed `.env` exposing
NEXT_PUBLIC_PROJECT_ID; remove this credential from the repo and history and
prevent future leaks: add a `.gitignore` entry for `.env`, create a
`.env.example` with a placeholder NEXT_PUBLIC_PROJECT_ID to document required
variables, rotate the exposed WalletConnect Project ID in the WalletConnect
Cloud dashboard, delete the committed `.env` from the repository and purge it
from git history using a history-rewriting tool (e.g., BFG or git
filter-branch), and ensure the new actual `.env` is not tracked going forward.