Skip to content

Child Bounties Count Exceeds MaxActiveChildBountyCount Limit #10652

New issue
New issue
Open
Open
Child Bounties Count Exceeds MaxActiveChildBountyCount Limit#10652
Assignees
sudhi76
Labels
C1-mentorA task where a mentor is available. Please indicate in the issue who the mentor could be.C2-good-first-issueA task for a first time contributor to become familiar with the Polkadot-SDK.D0-easyCan be fixed primarily by duplicating and adapting code by an intermediate coder.
@dhirajs0

Description

@dhirajs0
dhirajs0
opened on Dec 15, 2025

Summary

The add_child_bounty function in pallet-child-bounties allows creating one more child bounty than the configured MaxActiveChildBountyCount limit due to an off-by-one error in the validation check.

Description

In substrate/frame/child-bounties/src/lib.rs, the add_child_bounty function checks if the current count of active child bounties is less than or equal to MaxActiveChildBountyCount before incrementing the count. This allows the count to reach MaxActiveChildBountyCount + 1 instead of being capped at MaxActiveChildBountyCount.

Location

File: substrate/frame/child-bounties/src/lib.rs

ensure!(
    ParentChildBounties::<T>::get(parent_bounty_id) <=
        T::MaxActiveChildBountyCount::get() as u32,
    Error::<T>::TooManyChildBounties,
);

Root Cause

The validation check uses <= (less than or equal) instead of < (less than). Since the count is incremented immediately after this check (line 323), when the current count equals MaxActiveChildBountyCount, the check passes and the count is incremented, resulting in MaxActiveChildBountyCount + 1 active child bounties.

Expected Behavior

The maximum number of active child bounties should never exceed MaxActiveChildBountyCount. When the count reaches the limit, no additional child bounties should be allowed.

Proposed Fix

Change the comparison operator from <= to <:

ensure!(
    ParentChildBounties::<T>::get(parent_bounty_id) <
        T::MaxActiveChildBountyCount::get() as u32,
    Error::<T>::TooManyChildBounties,
);

This ensures that when the current count equals MaxActiveChildBountyCount, the check fails, preventing the creation of an additional child bounty.

Impact

  • Severity: Medium
  • Affected Functionality: Child bounty creation limit enforcement
  • Potential Consequences:
    • Runtime configuration limits are not properly enforced
    • Could lead to unexpected behavior if other parts of the system assume the limit is strictly enforced

Steps to Reproduce

  1. Configure MaxActiveChildBountyCount to a specific value (e.g., 5)
  2. Create exactly MaxActiveChildBountyCount child bounties for a parent bounty
  3. Attempt to create one more child bounty
  4. Observed: The child bounty is created successfully
  5. Expected: The call should fail with Error::TooManyChildBounties

Testing Recommendations

  1. Add a test case that verifies the limit is strictly enforced
  2. Test the edge case where count equals MaxActiveChildBountyCount
  3. Verify that the error TooManyChildBounties is returned when attempting to exceed the limit

Metadata

Metadata

Assignees

Labels

C1-mentorA task where a mentor is available. Please indicate in the issue who the mentor could be.C2-good-first-issueA task for a first time contributor to become familiar with the Polkadot-SDK.D0-easyCan be fixed primarily by duplicating and adapting code by an intermediate coder.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions