The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

H-1 Malicious user can flood LiquidationPool with pendingStakes by providing insignificant amount of TST or EUROs and lead to DoS

agadzhalov

H-1 Malicious user can flood LiquidationPool with pendingStakes by providing insignificant amount of TST or EUROs and lead to DoS

Summary

The LiquidationPool.sol contract allows users to stake assets by providing TST or EUROs tokens by calling increasePosition(). The user needs to wait at least a day before he can decreasePosition() and claim his assets back. During this period a malicious user could cause DoS by providing insignificant amount of TST or EUROs.

Vulnerability Details

A user can execute thousand of transactions with the intentions to flood the pendingStakes array. This is especially easy on chains with low gas fees.
By calling increasePosition(), providing insignificant amount of TST or EUROs and paying low gas fees is pretty easy achievable by creating a bot.

Let’s say Alice is a user with good intentions and she stakes her assets. But then Bob comes and he wants to break the protocol. Bob executes LiquidationPool .increasePosition 10 000 (for example) times by providing 0.000001 TST every time. On every call Bob creates a new pending stake with duration one day leading to DoS.

https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L140

When Alice comes back and decides to claim her assets back by calling decreasePosition she will have to wait consolidatePendingStakes() to iterate through all of the void pendingStakes bob created.

https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L121

In the worst case after a day has passed Alice tries again to decreasePosition but this time she will have to wait consolidatePendingStakes() not just to iterate but to deletePendingStake on every iteration. This way Alice wouldn’t be able to claim back her assets.

https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L127

Impact

The attack is pretty easy for implementation and the likelihood to happen is big. But as all of the methods responsible for receiving assets and rewards back depend on consolidatePendingStakes() this means all of the assets can stay locked so I consider it as a High. Users won’t be able not just to decreasePositions but also to increasePositions.

PoC

// Malicious user can flood LiquidationPool with pendingStakes by providing very
// tiny amounts of TST or EUROs and lead to DoS
// recomendation: Ensure the number of iterations is properly bounded.
it.only('allows increasing position by one or both assets', async () => {
const tstVal = ethers.utils.parseEther('1');
await TST.mint(user1.address, tstVal);
let increase = LiquidationPool.increasePosition(tstVal, 0);
await expect(increase).to.be.revertedWith('ERC20: insufficient allowance')
let { _position} = await LiquidationPool.position(user1.address);
expect(_position.TST).to.equal('0');
expect(_position.EUROs).to.equal('0');
const maliousTstVal = ethers.utils.parseEther('0.0000001');
await TST.approve(LiquidationPool.address, tstVal);
const numberOfExecutions = 1000;
for (let i=0;i<numberOfExecutions;i++) {
// most likely at some point it won't be able to increase positions anymore
// as it iterates through every single one on every call before pushing new pending stakes
increase = LiquidationPool.increasePosition(maliousTstVal, 0);
await expect(increase).not.to.be.reverted;
}
({_position} = await LiquidationPool.position(user1.address));
});

Tools Used

Manual review

Recommendations

Set a minimum amount for staking of TST or EUROs or limit the pendingStakes in a 24 hour period.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

pendingstake-dos

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

pendingstake-high

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.