stake.link

Summary

In the SDLPoolSecondary contract, the executeQueuedOperations function allows for the possibility of passing an empty array (_lockIds) without any validation. Consequently, this leads to an unnecessary invocation of the _executeQueuedLockUpdates function, which, in turn, triggers the updateRewards(_owner) modifier. This modifier involves a loop to update rewards for a given account, resulting in significant unnecessary computations and gas wastage. The absence of validation for an empty _lockIds array can adversely impact users by causing unnecessary financial losses due to excessive gas consumption.

Vulnerability Details

The vulnerability arises from the oversight in not checking for an empty _lockIds array within the executeQueuedOperations function. This oversight leads to the execution of _executeQueuedLockUpdates with an empty array, causing unnecessary computations within the updateRewards(_owner) modifier.

Impact

The impact of this vulnerability is twofold. Firstly, it results in unnecessary gas consumption due to the execution of computations with an empty array. Secondly, users may incur additional financial losses as a consequence of this inefficient gas usage.

Tools Used

Manual review

Recommendations

It is recommended to implement a validation check within the executeQueuedOperations function to ensure that the _lockIds array is not empty before proceeding with the execution of _executeQueuedLockUpdates. This check will prevent unnecessary computations and gas wastage when there are no lock IDs to process. Additionally, consider revising the design to avoid triggering the updateRewards(_owner) modifier when it is not required, further optimizing gas usage and minimizing the risk of financial losses for users.

e.g you can add a check like this in executeQueuedOperations function