Users can perform DoS attacks on LiquidationPool by putting minimal stake positions on the contract
Summary
Malicious actors can perform denial of service attacks on the contract by filling it with minimum stake positions. Since consolidatePendingStakes() is called numerous time on user executed functions (e.g. increasePosition(), decreasePosition() ) and protocol executed functions (e.g. distributeAssets), this functions gas consumption can mess up the functionality of other functions necessary for the protocol to work properly.
Vulnerability Details
Since there is no limit to the pendingStakes array size and it is looped through in consolidatePendingStakes() which is called in many functions, users can spam it with insignificant stakes (minimum of 1) .
Impact
Users can not call any function that also calls consolidatePendingStakes() in it since it will run into the out of gas exception since the array is limitless.
Since this is breaking the protocols' functionality and usability I give it the HIGH severity.
This also directly influences the holders array as well. Because of all this, function calls will be expensive and users will be disincentivized from calling these functions which contain a call to consolidatePendingStakes().
Tools Used
Manual review
Recommendations
Introduce a minimum amount to staking to divert malicious actors from spamming the protocol.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.