Return to All Submissions
previous next
Submission Details

#18 Unbounded loop leads gas DOS.

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L56C1-L61C10

https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L49C1-L52C10

Summary

PendingStakes and holders array which is stored as the state variables. If this arrays length extended to few hundreds it will potentially leads to reach the block.gasLimit and DOS.

Vulnerability Details

Function getTstTotal() have for-loop is used to get total TST tokens by doing sum of array which leads to potential DOS if holders and pendingStakes array length have few hundreds.by calling all array data which is highly gas expensive it leads to hits the block.gaslimit in one transaction.

    function getTstTotal() private view returns (uint256 _tst) { // Un-bound loop leads To gas DOS
        for (uint256 i = 0; i < holders.length; i++) {
            _tst += positions[holders[i]].TST;
        }
        for (uint256 i = 0; i < pendingStakes.length; i++) {
            _tst += pendingStakes[i].TST;
        }
    }

In the above code we can see that two for-loops calls the holders and pendingStakes arrays in one transaction if two arrays have few hundreds length then it enough to make DOS by reaching block.gasLimit.

We noticed that protocol deploys on arbitrum but we can see block.gasLimit on arbitrum.

Before submitting this report the latest transaction made on arbitrum here :-

https://arbiscan.io/block/164636936

Arbitrum block gas limit :- 1,125,899,906,842,624

The simple swap transaction cost 4,227,935 on arbitrum.

Then few hundreds array length is enough to cause the DOS.

Impact

It will create DOS(denial of service) to subsequent requests.

Tools Used

Manual View

Recommendations

Add a mechanism which user can specify the min-max length of the array.

Instances

Below function which is also associated with DOS gas-limi issue getStakeTotal()

holderPendingStakes()

deleteHolder()

deletePendingStake()

addUniqueHolder

consolidatePendingStakes()

Function which is associated with above function also lands on DOS.

Comments and Activity

Lead Judging Started
hrishibhat Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

pendingstake-dos

ljj Auditor
4 months ago

pendingstake-dos findings should be invalid. README states that It is a known issue. "vaults function array length is unchecked going into for loop. An abuse of NFT minting by a user could prevent them from being able to use this vaults function" "Length of accepted tokens array throughout contract is unchecked, but this Token Manager contract is managed by us and there is unlikely to be more than 5-10 tokens in this array" "No length check for number of stake holders. This could cause a problem throughout contract if there are a high number of stakers" "TokenManager getAcceptedTokens array length unchecked, but uses an administrative contract which is managed by us. Unlikely to be more than 5-10 items"

syahirAmali Auditor
4 months ago

Thats entirely a different case, the known issue mentioned was with a different variable, the pendingStake variable is the vulnerability in question here. And the attack vector is entirely different. While I think the issue is there, this report doesn't highlight the actual attack vector and how an attacker can take advantage of it.

hrishibhat Lead Judge
3 months ago

This is a valid issue. This issue does not depend on the number of holders
hrishibhat Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

pendingstake-high