Permanent DoS of LiquidationPool's deposits, withdrawals and liquidations
Vulnerability Details
Whenever a position is increased or decreased, function consolidatePendingStakes is run:
As you can see, the amount of gas it spends linearly increases with the number of pendingStakes. Once there's at least 152 pending stakes that reached deadline, it would cost >30 million gas for any user to call increasePosition or decreasePosition, which will not fit in Ethereum or Optimism block, which means it would be impossible for anyone to call increasePosition/decreasePosition. On top of that, none of the undercollateralized vaults will be liquidated, because runLiquidation depends on successful distributeAssets, which in turn calls consolidatePendingStakes.
This situation can also be created "artificially": the attacker would call increasePosition from each of 152 accounts (or more, depending on the chain) with 1 wei of TST and 1 wei of EURO, and after 24 hours only the accounts that entered before the attack will be receiving all fees.
In the worst case, once the protocol is deployed, the attacker could deposit their funds from one account, and then execute the attack. This way nobody but the attacker will be permanently receiving all fees.
Impact
Users are permanently unable to deposit and withdraw funds from LiquidationPool. All current and future undercollateralized vaults can not be liquidated.
Recommendations
Make each user consolidate their pendingStake manually.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.