Steadefi

Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Submission Details
Severity: medium
Invalid

Try catch errors could lead to DOS atttacks

Summary

using a try catch in that way could introduce some DOS attacks as it gives it the power to affect the execution of our smart contract in case of errors. Malicious users could try to set some return values and have those affect the system

Vulnerability Details

we have to make this in such a way that when a transaction fails we are not going to allow it to affect execution of our contract in any way we just want to try catch it and if it fails we set our status and emit an event

Impact

execution of the contract will be affected in cases where we get unexpected errors as a malicious user could exploit this catch clause. a malicious user will say try to set the return value to something else that is not bytes say uint and have it affect the system

other instances
https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXRebalance.sol#L114

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXRebalance.sol#L234

Tools Used

manual analysis

Recommendations

please not that this finding was inspired by Owen Thurm in his new advanced web 3 security course below is an excerpt where he talked of how this could cause DOS attacks

https://www.youtube.com/watch?v=DRZogmD647U&t=5186s

since you are not expecting to use any return values in this case, I would suggest your implementation to look like this

try GMXProcessDeposit.processDeposit(self) {
// Mint shares to depositor
self.vault.mint(self.depositCache.user, self.depositCache.sharesToUser);
self.status = GMXTypes.Status.Open;
emit DepositCompleted(
self.depositCache.user,
self.depositCache.sharesToUser,
self.depositCache.healthParams.equityBefore,
self.depositCache.healthParams.equityAfter
);
} catch {
self.status = GMXTypes.Status.Deposit_Failed;
emit DepositFailed();
}
Updates

Lead Judging Commences

hans Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
atoko Submitter
over 1 year ago
hans Auditor
over 1 year ago
atoko Submitter
over 1 year ago
hans Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.