The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Loops over unbounded arrays can result in DoS that prevents all liquidations and position updates

Ciara and Gio

Description

Due to loops over the unbounded holders and pendingStakes arrays, the following functions will be in a state of DoS:

LiquidationPool::getStakeTotal: DoS due to loop over holders array leading to a potential DoS in LiquidationPool::distributeAssets which can block all liquidations.
LiquidationPool::getTstTotal: DoS due to loops over the holders and pendingStakes arrays leading to a potential DoS in LiquidationPool::distributeFees which can block all liquidations and prevent stakers from calling LiquidationPool::increasePosition and LiquidationPool::decreasePosition.
LiquidationPool::deleteHolder: Potential DoS due to loop over the holders array leading to a potential DoS in LiquidationPool::decreasePosition, preventing stake removal.
LiquidationPool::deletePendingStake: Potential DoS due to loop over pendingStakes array leading to potential DoS in LiquidationPool::consolidatePendingStakes which leads to a potential DoS in LiquidationPool::increasePosition, LiquidationPool::decreasePosition and LiquidationPool::distributeAssets preventing stake addition/removal and prevent all liquidations.
LiquidationPool::addUniqueHolder: Potential DoS due to loop over holder array leading to DoS potential in LiquidationPool::increasePosition, preventing stake addition.
LiquidationPool::distributeFees: DoS potential due to loops over the holders and pendingStakes arrays, preventing stake from being added/removed and preventing liquidations.
LiquidationPool::distributeAssets: DoS potential due to loop over the holders array, preventing all liquidations.

For example, the following snippet shows the loop over the unbounded holders array in LiquidationPool::distributeFees:

function distributeFees(uint256 _amount) external onlyManager {

uint256 tstTotal = getTstTotal();

if (tstTotal > 0) {

IERC20(EUROs).safeTransferFrom(msg.sender, address(this), _amount);

// @audit potential DoS due to loop over unbounded array

for (uint256 i = 0; i < holders.length; i++) {

address _holder = holders[i];

positions[_holder].EUROs += _amount * positions[_holder].TST / tstTotal;

}

// @audit potential DoS due to loop over unbounded array

for (uint256 i = 0; i < pendingStakes.length; i++) {

pendingStakes[i].EUROs += _amount * pendingStakes[i].TST / tstTotal;

}

This will prevent all liquidations and prevent stakers from adding/removing to/from the liquidation pool.

Impact

Stakers will not be able to increase/decrease their positions. Liquidations are also blocked. Therefore, this is a high-severity finding.

Recommended Mitigation

Avoid looping over unbounded arrays.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

pendingstake-dos

0x996 Auditor

almost 2 years ago

0xrektified Auditor

almost 2 years ago

georgishishkov Auditor

almost 2 years ago

hrishibhat Lead Judge

over 1 year ago

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

pendingstake-high

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.