No limit on length of pending stakes array can result in high gas costs / DOS of users and even prevent liquidations
Summary
The function consolidatePendingStakes loops over the array pf pending stakes to update user balances. Since there is no limit to the length of this array, it can lead to DOS due to out of gas errors is attackers artificially inflate this array.
Vulnerability Details
Ethereum has a block gas limit, and transactions using more gas than this limit will always revert. The issue here is that in the function consolidatePendingStakes, the array of pending stakes is looped over.
The issue is that external users control the length of the pendingStakes array. Users can decide to add to a position which would push a new element into the pending stakes array. So attackers can artificially inflate the size of this array with small deposits to make it very expensive for other users to operate the contract, since the function consolidatePendingStakes is called whenever any user makes any deposit or withdrawal to the contract.
A malicious attacker can then spam deposits until the array inflates to such a large value that it exceeds the block gas limit, and then no one can use the contract anymore and their funds will get permanently locked in the contract.
Impact
Users can lose access to their funds due to out of gas errors
Tools Used
Manual Review
Recommendations
Limit the maximum size of the pendingStakes Array to prevent such a DOS attack.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.