No deposit is charged for adding position openings for working groups

[mmostafas]

Summary

In the working-group module the add_opening does not require a deposit for adding a new opening (only callable by the working group lead). Since the working group openings are stored on-chain, a malicious working group lead could use this extrinsic to exhaust the storage of the blockchain.

Issue

In the working-group module the add_opening has the following issues:

1. There is no upper limit for the number of openings that can be added
2. Calling this extrinsic is cheap since no deposit is required.

Therefore, a malicious working group lead could create a lot of new job openings by calling this extrinsic and consequently fill up the blockchain storage.

Risk

This issue would allow a malicious working group lead to fill up the blockchain storage by adding arbitrary number of job openings. A full storage is problematic because it could lead to an infeasible amount of storage being required to run a blockchain node.

Since only working group leads can call this extrinsic who should be trusted actors with high stake in the system, we consider this issue being of low severity.

Mitigation

We suggest to require a deposit for adding a job opening or alternatively, limit the number of open positions (for example to MaxWorkerNumberLimit + 10) to prevent attackers from filling up the blockchain storage.