The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Burn Mechanism in `SmartVaultManagerV5` which can lead to denial of service

n0kto

Description

There is no burning mechanism defined in SmartVaultManagerV5. Without a burning mechanism, there is a limit to the number of vaults that can be created, which is 2 ** 256 - 1. If the protocol becomes widely used, reaching this limit could be detrimental.

Impact

The absence of a burning mechanism means that, in the long run, the protocol could reach a state where no more vaults can be minted, leading to the end of the protocol. Although the likelihood of this happening is very low, a determined attacker could potentially accelerate the process at a high cost in gas fees.

Recommended Mitigation

Implement a burning mechanism to reuse token IDs that become available. One approach is to create an array to keep track of deleted token IDs and redistribute them in the mint function. Additionally, utilize the _burn function inherited from ERC721Upgradeable in the SmartVaultManagerV5:liquidateVault function.

Example of a mechanism:

uint256[] availableTokenID;

function mint() external returns (address vault, uint256 tokenId) {

- tokenId = lastToken + 1;

- _safeMint(msg.sender, tokenId);

- lastToken = tokenId;

+ if (availableTokenID.length > 0){

+ tokenId = availableTokenID[availableTokenID.length - 1];

+ availableTokenID.pop();

+ }

+ else {

+ tokenId = lastToken + 1;

+ lastToken = tokenId;

+ }

+ _safeMint(msg.sender, tokenId);

}

function liquidateVault(uint256 _tokenId) external onlyLiquidator {

ISmartVault vault = ISmartVault(

smartVaultIndex.getVaultAddress(_tokenId)

);

try vault.undercollateralised() returns (bool _undercollateralised) {

require(_undercollateralised, "vault-not-undercollateralised");

vault.liquidate();

IEUROs(euros).revokeRole(

IEUROs(euros).MINTER_ROLE(),

address(vault)

);

IEUROs(euros).revokeRole(

IEUROs(euros).BURNER_ROLE(),

address(vault)

);

emit VaultLiquidated(address(vault));

+ _burn(tokenID);

} catch {

revert("other-liquidation-error");

}

Note: Burning a token ID does not pose a risk to vaults, as it won't delete vault contracts or the tokens within them.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.