Possible DoS attack
Summary
The increasePosition function in the LiquidityPool contract allows users to stake TST or EUROs tokens without a minimum deposit amount requirement. This lack of a minimum deposit requirement could lead to potential exploitation by malicious users who may spam the arrays (holders and pendingStakes) by depositing small token amounts.
Vulnerability Details
The vulnerability arises because the increase/decrease position functions iterate through the pendingStakes and holders arrays. Malicious users could exploit this by spamming the arrays with numerous accounts, each staking a small amount of tokens. This could result in a significant increase in gas expenses for users interacting with the contract and potentially lead to a denial-of-service (DOS) scenario, causing disruptions or halting the protocol.
Impact
The impact of this vulnerability is the potential for a large number of small token deposits causing increased gas costs for users and disruption or halting of the protocol.
Tools Used
Manual review
Recommendations
It is strongly recommended to implement a minimum deposit amount requirement for staking to prevent spamming. Additionally, consider optimizing the algorithms used in functions that iterate through these arrays to minimize gas costs.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.