Unbounded Growth in Pending Stakes Array allows to grief and break liquidationPool operations
Summary
The increasePosition function in LiquidationPool.sol allows any stake amount, leading to the creation of new stakes in the pendingStakes[] array. These pending stakes undergo processing the day after staking through consolidatePendingStakes(). The function is triggered on every increasePosition, decreasePosition, and distributeAssets call. Exploiting this, a malicious actor can repeatedly transfer minuscule amounts (1 wei) of EUROs / TST tokens, causing an infinite increase in the length of the pending stakes array. This manipulation results in excessive gas consumption or reverts during subsequent interactions.
Vulnerability Details
Attacker mints 1 EUROs token from Vault.
Calls increasePosition with 1 wei, repeating the process multiple times (e.g., 1^18 times).
The
consolidatePendingStakesfunction, which is gas-intensive, processes the pending stakes.Iterates through pending stakes.
Deletes processed pending stakes by left-shifting elements in the array.
Interactions with decreasePosition, distributeAssets, or increasePosition on the following day lead to reverts or significant gas consumption.
Impact
The vulnerability results in failed or excessively gas-consuming interactions, affecting the liquidity pool.
Tools Used
Manual Review
Recommendations
Implement checks to ensure that stake amounts are within reasonable limits, preventing abuse with extremely small values.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.