`LiquidationPool` can be DOS through `pendingStakes[]`
Summary
The unbounded pendingStakes[] array in LiquidationPool, can lead to every every rewards related transaction revert because the transactions run out of gas.
Vulnerability Details
When a user first stakes EUROs and TST tokens, their stake will first enter the pendingStakes[] array for one day.
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L134-L142
pendingStakes.push(PendingStake(msg.sender, block.timestamp, _tstVal, _eurosVal)); Here the recent position increase will be pushed to the pendingStakes
The consolidatePendingStakes() function is reponsible for adding the pendingStake to be to the holder's positions mapping.
The loop will go through every pendingStakes, if the stake is mature it will be added to the holder's position.
The consolidatePendingStakes() is called in every significant function of the contract such as increasePosition(), decreasePosition() and distributeAssets.
The issue at hand is that a malicious actor can stuff the pendingStakes[] array with postions worth one 1 wei of EUROs, so with just one EUROs a this malicious actor can create 1e18 positions in pendingStakes[] resulting in a DOS for any functions calling the consolidatePendingStakes() function.
Impact
User cannot withdraw funds, receive rewards or increase stake, because these function will run out of gas.
Tools Used
Manual review
Recommendations
To mitigate this issue I would recommend adding a minimum stake so that it cannot be so cheaply stuffed.
Lead Judging Commences
pendingstake-dos
pendingstake-high
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.