The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

A malicious user can DDoS the consolidatePendingStakes function

gkrastenov

Summary

A malicious user can DDoS the consolidatePendingStakes function.

Vulnerability Details

When a user increases their position through the increasePosition function, a new pending stake is created.

pendingStakes.push(PendingStake(msg.sender, block.timestamp, _tstVal, _eurosVal));

It has only one require statement, which is for _tstVal and _eurosVal to be greater than 0. A malicious user can create many pending stakes with very low amounts of _tstVal or _eurosVal, which will lead to a DDoS attack on the consolidatePendingStakes function. Any function calling the consolidatePendingStakes function will be permanently DDoSed because during the looping of all pending stakes, the gas will be depleted.

Impact

Blocking the user from increasing/decreasing their position, as well as blocking the distribution of fees.

Tools Used

Mannual Review

Recommendations

Add a limit for how many active pending stakes can exist or add a minimum amount requirement for creating a new pending stake.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

pendingstake-dos

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

pendingstake-high

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.