Submission Details
Severity:
DoS via Loops Iterating Over Large State Arrays
Summary
User can create a huge amount of addresses and with LiquidationPool::increasePosition() push an enormous amount of stakes in the storage pendingStakes variable.
Vulnerability Details
LiquidationPool contract heavily depends on pendingStakes.length since pendingStakes storage variable iterates over it will lead to the DoS of the entire protocol.
Even though the protocol has functionality to remove pendingStake it also depends on the loop and there may not be enough gas in the transaction to remove it from the storage variable either.
File: contracts/LiquidationPool.sol
59: for (uint256 i = 0; i < pendingStakes.length; i++) {
/// @audit state `pendingStakes[]` is `push()`ed and may grow too large to iterate over. | 140: pendingStakes.push(PendingStake(msg.sender, block.timestamp, _tstVal, _eurosVal));
74: for (uint256 i = 0; i < pendingStakes.length; i++) {
/// @audit state `pendingStakes[]` is `push()`ed and may grow too large to iterate over. | 140: pendingStakes.push(PendingStake(msg.sender, block.timestamp, _tstVal, _eurosVal));
106: for (uint256 i = _i; i < pendingStakes.length - 1; i++) {
/// @audit state `pendingStakes[]` is `push()`ed and may grow too large to iterate over. | 140: pendingStakes.push(PendingStake(msg.sender, block.timestamp, _tstVal, _eurosVal));
121: for (int256 i = 0; uint256(i) < pendingStakes.length; i++) {
/// @audit state `pendingStakes[]` is `push()`ed and may grow too large to iterate over. | 140: pendingStakes.push(PendingStake(msg.sender, block.timestamp, _tstVal, _eurosVal));
190: for (uint256 i = 0; i < pendingStakes.length; i++) {
Tools Used
VsCode
Recommendations
Add length limitation to pendingStakes
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
60933 USDC / LOC
17,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.