The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Possible to DoS all major functions of the protocol

t0x1c

Summary & Vulnerability Details

An unbounded looping is implemented over the pendingStakes[] array inside:

consolidatePendingStakes() loops through all the pending stakes in the pool at L121:

for (int256 i = 0; uint256(i) < pendingStakes.length; i++) {

Since there is no lower limit on the amount being staked, a griefer or malicuous competitor interested in the bringing the protocol down can create multiple pending stakes such that when consolidatePendingStakes() anytime, it runs out of gas and results in Denial of Service.

The griefer will make the following call enough number of times -

await LiquidationPool.increasePosition(1, 0);

Note that for such a small value, due to rounding-down precision loss, no minting fee is charged by the protocol. So the cost of attack would be the sum of the value of all the TSTs (or EUROs) + gas fees.

Checking this via a unit test shows that the execution fails after around 2500 pending stakes on the local network. Add this test to check (took around 5 hours to execute locally on my system) which made use of TST and cost only 0.0000000000000025 euro:

it('is possible to DoS due to huge number of pendingStakes', async () => {
const stake1 = 1;
await TST.mint(user1.address, ethers.utils.parseEther('1000000'));
await TST.connect(user1).approve(LiquidationPool.address, ethers.utils.parseEther('1000000'));
for (let i=1; i<=2500; i++) {
console.log(i);
await LiquidationPool.connect(user1).increasePosition(stake1, 0);
}
});

Impact

  • No new user will be able to stake in the pool by calling increasePosition()

  • No existing user will be able to withdraw their stake by calling decreasePosition()

  • No existing user can be liquidated by the protocol via a call to runLiquidation() since it internally calls distributeAssets() which too calls consolidatePendingStakes()

  • No distribution of fees via distributeFees() possible anymore.

For all practical purposes, protocol becomes non-functional and will soon go underwater due to inability to get rid of bad debts. It is to be noted that there are no admin functions which can help delete such stakes or rescue the protocol from this state.

There is also a chance that this attack be mounted by an attacker who has first taken a huge loan and upon seeing the risk of liquidation, calculates that it is cheaper to spend TSTs (or EUROs) to break the protocol instead of adding collateral to save their undercollateralized position.

Tools Used

Manual review

Recommendations

  • One option is to have a minimum threshold for the staked amount so that the cost of the attack goes up significantly.

  • Also introduce some admin functions which can be used to rescue the protocol by deleting pending stakes (by specifying a range to delete in batches instead of looping all at once), and consider returning the invested amount - fees.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

pendingstake-dos

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

pendingstake-high

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.