stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: high
Invalid

SDLPoolSecondary._queueLockUpdate can revert with oog

Summary

In case if user has queued a lot of updates for the lock that can cause out of gas error when he will try to settle them. As result, lock will be lost and user will not be able to locked funds back.

Vulnerability Details

SDLPoolSecondary will be deployed on child chains and all queries from users are not executed immediately, but are queued and then info is sent to the main chain and only after response from the main chain users should call executeQueuedOperations for their locks.

This function processes all queued mints and all updates for the existing locks.

When user would like to create new lock, then there is max count check, which protects user from reverting with oog.

But when user creates update lock, then we don't have similar check, which means that user can do as many updates for the lock as he needs.

In case if user will have big number of queued updates for the lock, then _executeQueuedLockUpdates will fail with out of gas error and as result user will never be able to finalize changes to the lock and withdraw it.

Impact

Lock can be lost.

Tools Used

VsCode

Recommendations

You need to have same limit check for the updates number.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.