fix: cap endorsements to prevent endorsement-loop DoS

[SIDDHANTCOOKIE]

Addressed Issues:

Fixes #68

• Added MAX_ENDORSEMENTS = 100 in src/IdentityToken.sol.
• Added a guard in endorse() to revert with Errors.IndexOutOfBounds() when the cap is reached.
• Added test_RevertIf_MaxEndorsementsReached() in test/IdentityToken.t.sol to verify the 101st endorsement reverts.

Screenshots/Recordings:

TODO: If applicable, add screenshots or recordings that demonstrate the interface before and after the changes.

Additional Notes:

AI Usage Disclosure:

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact. AI slop is strongly discouraged and may lead to banning and blocking. Do not spam our repos with AI slop.

Check one of the checkboxes below:

• This PR does not contain AI-generated code at all.
• This PR contains AI-generated code. I have read the AI Usage Policy and this PR complies with this policy. I have tested the code locally and I am responsible for it.

I have used the following AI models and tools: TODO

Checklist

• My PR addresses a single issue, fixes a single bug or makes a single improvement.
• My code follows the project's code style and conventions
• If applicable, I have made corresponding changes or additions to the documentation
• If applicable, I have made corresponding changes or additions to tests
• My changes generate no new warnings or errors
• I have joined the Discord server and I will share a link to this PR with the project maintainers there
• I have read the Contribution Guidelines
• Once I submit my PR, CodeRabbit AI will automatically review it and I will address CodeRabbit's comments.
• I have filled this PR template completely and carefully, and I understand that my PR may be closed without review otherwise.

Summary by CodeRabbit

Release Notes

• New Features

  • Introduced an endorsement limit of 100 per token. Each token can no longer receive endorsements beyond this maximum threshold, with excess attempts being rejected.

• Tests

  • Added comprehensive test coverage to validate endorsement limit enforcement, including validation of proper rejection when attempting to exceed the maximum capacity.

[coderabbitai]

Walkthrough

The changes implement a maximum endorsement limit by introducing a public constant MAX_ENDORSEMENTS = 100 to the IdentityToken contract and enforcing this cap in the endorse() function, which reverts with Errors.IndexOutOfBounds() when the limit is reached. A corresponding test validates this enforcement.

Changes

Cohort / File(s)	Summary
Endorsement Limit Enforcement src/IdentityToken.sol	Added public constant MAX_ENDORSEMENTS = 100 and implemented a revert check in endorse() to prevent exceeding the cap on endorsements per token.
Endorsement Limit Test test/IdentityToken.t.sol	Added test function test_RevertIf_MaxEndorsementsReached that verifies the contract reverts with Errors.IndexOutOfBounds when attempting to endorse beyond the 100-endorsement limit.

Possibly related PRs

• PR #2: Introduced the initial endorsements system that this PR now constrains with a maximum limit.
• PR #73: Modifies endorsement-related error handling and bounds checks using the same error patterns.

Suggested labels

Solidity Lang

Poem

A rabbit bounds through endorsement arrays,
But now a cap restrains endless praise—
One hundred voices, no more, no less,
No DoS demons in this blessed mess! 🐰✨

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding an endorsement cap to prevent DoS attacks via unbounded loops.
Linked Issues check	✅ Passed	The PR fully addresses issue #68 by implementing the MAX_ENDORSEMENTS cap and guard in endorse() to prevent unbounded array growth and related DoS attacks.
Out of Scope Changes check	✅ Passed	All changes are directly related to addressing the DoS vulnerability in issue #68; no out-of-scope modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/IdentityToken.sol`:
- Line 15: Add a getter declaration for the MAX_ENDORSEMENTS constant to the
IIdentityToken interface so external callers compiled against the interface can
read the cap; specifically add a function signature matching the public constant
getter (function MAX_ENDORSEMENTS() external view returns (uint256)) to
IIdentityToken (referencing MAX_ENDORSEMENTS and IIdentityToken) and ensure the
interface compiles with that new declaration.

In `@test/IdentityToken.t.sol`:
- Around line 298-305: The test uses a hardcoded cap of 100 when filling
endorsements; replace that literal with the contract constant by querying
identityToken.MAX_ENDORSEMENTS() into a uint256 (e.g., max) and loop for
(uint256 i = 0; i < max; i++) calling identityToken.endorse(...), then expect
the revert when calling identityToken.endorse with index equal to max
(Errors.IndexOutOfBounds.selector). Update references to the hardcoded 100 to
use max and keep aliceId, bobId, identityToken.endorse, and
Errors.IndexOutOfBounds.selector intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9ea1256f-b613-49a9-84aa-733e011e27ff

📥 Commits

Reviewing files that changed from the base of the PR and between 3ee7bc8 and 2cfe482.

📒 Files selected for processing (2)

• src/IdentityToken.sol
• test/IdentityToken.t.sol

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Expose the cap in IIdentityToken for typed integrators.

Consider adding the getter signature to the interface so clients compiled against IIdentityToken can discover the limit without implementation coupling.

♻️ Suggested interface addition

diff --git a/src/interfaces/IIdentityToken.sol b/src/interfaces/IIdentityToken.sol
@@
 interface IIdentityToken is IERC721, IERC721Metadata {
+    function MAX_ENDORSEMENTS() external view returns (uint256);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/IdentityToken.sol` at line 15, Add a getter declaration for the
MAX_ENDORSEMENTS constant to the IIdentityToken interface so external callers
compiled against the interface can read the cap; specifically add a function
signature matching the public constant getter (function MAX_ENDORSEMENTS()
external view returns (uint256)) to IIdentityToken (referencing MAX_ENDORSEMENTS
and IIdentityToken) and ensure the interface compiles with that new declaration.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Avoid hardcoded cap values in the boundary test.

Use identityToken.MAX_ENDORSEMENTS() to keep the test aligned if the cap changes.

♻️ Suggested test update

-        for (uint256 i = 0; i < 100; i++) {
+        uint256 maxEndorsements = identityToken.MAX_ENDORSEMENTS();
+        for (uint256 i = 0; i < maxEndorsements; i++) {
             vm.prank(alice);
             identityToken.endorse(aliceId, bobId, keccak256(abi.encodePacked("Connection", i)), 0);
         }

         vm.prank(alice);
         vm.expectRevert(Errors.IndexOutOfBounds.selector);
-        identityToken.endorse(aliceId, bobId, keccak256(abi.encodePacked("Connection", uint256(100))), 0);
+        identityToken.endorse(
+            aliceId,
+            bobId,
+            keccak256(abi.encodePacked("Connection", maxEndorsements)),
+            0
+        );

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	for (uint256 i = 0; i < 100; i++) {
	vm.prank(alice);
	identityToken.endorse(aliceId, bobId, keccak256(abi.encodePacked("Connection", i)), 0);
	}
	vm.prank(alice);
	vm.expectRevert(Errors.IndexOutOfBounds.selector);
	identityToken.endorse(aliceId, bobId, keccak256(abi.encodePacked("Connection", uint256(100))), 0);
	uint256 maxEndorsements = identityToken.MAX_ENDORSEMENTS();
	for (uint256 i = 0; i < maxEndorsements; i++) {
	vm.prank(alice);
	identityToken.endorse(aliceId, bobId, keccak256(abi.encodePacked("Connection", i)), 0);
	}
	vm.prank(alice);
	vm.expectRevert(Errors.IndexOutOfBounds.selector);
	identityToken.endorse(
	aliceId,
	bobId,
	keccak256(abi.encodePacked("Connection", maxEndorsements)),
	0
	);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/IdentityToken.t.sol` around lines 298 - 305, The test uses a hardcoded
cap of 100 when filling endorsements; replace that literal with the contract
constant by querying identityToken.MAX_ENDORSEMENTS() into a uint256 (e.g., max)
and loop for (uint256 i = 0; i < max; i++) calling identityToken.endorse(...),
then expect the revert when calling identityToken.endorse with index equal to
max (Errors.IndexOutOfBounds.selector). Update references to the hardcoded 100
to use max and keep aliceId, bobId, identityToken.endorse, and
Errors.IndexOutOfBounds.selector intact.