The Standard

[H-03] Unbounded Loop in Consolidating Pending Stakes Disrupts Protocol

Description

A vulnerability within the smart contract allows a malicious user to inflate the LiquidationPool::pendingStakes array excessively. The LiquidationPool::consolidatePendingStakes() function, crucial for increasing, decreasing holders' positions, or distributing assets upon smart vault liquidation, can cause gas exhaustion and revert due to an unbounded loop.

Impact

The vulnerability in LiquidationPool::consolidatePendingStakes() severely disrupts crucial functionalities of the contract. It affects the increase, decrease of stakes, and asset distribution during liquidation. Consequently, funds can be indefinitely locked within affected smart vaults. This issue not only hampers holders' transactions but also enables malicious borrowers to exploit the protocol by preventing liquidation.

Proof of Concept

1. Bob creates a smart vault, deposits 10 ETH as collateral, and mints 16000 EUROs.

2. Bob repeatedly calls LiquidationPool::increasePosition(), continually escalating his position until the function reverts.

3. A day after Bob's deposits, market volatility causes ETH's price to drop, requiring liquidation of his vault.

4. A user initiates LiquidationPoolManager::runLiquidation(), triggering LiquidationPool::distributeAssets(). However, the LiquidationPool::consolidatePendingStakes() function reverts due to hitting the block gas limit, rendering Bob's vault inliquidatable.

Recommended Mitigation

Consider improving the consolidation logic for pending stakes or reworking the protocol's logic associated with them. Possible solutions include:

1. Introduce function parameters like offset and length to divide consolidation into smaller batches.

2. Implement an upper limit on the number of pending stakes.

Tools Used

Manual Review