The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Possible `LiquidithPool.pendingStakes` DOS, due to unbounded array length

PTolev

Summary

A vulnerability exists in the LiquidithPool.increasePosition function, which permits a malicious user to repeatedly create positions with minimal value. This leads to a bloated LiquidithPool.pendingStakes array, potentially causing a Denial of Service on the LiquidithPool contract and impairing its core functions.

Vulnerability Details

The increasePosition function in the liquidationPool contract allows for the deposit of EUROs or TST tokens. Users must wait one day for their stake to be consolidated. The functions increasePosition and decreasePosition invoke consolidatePendingStakes, an expensive operation due to multiple storage read/write processes.

The increasePosition process does not check or limit the amount of the new position. This oversight allows a malicious user to indefinitely create pending stakes with trivial amounts (as little as 1 wei), potentially causing an out-of-gas exception for any function interacting with the pendingStakes array.

A simple Proof of Concept demonstrates how a malicious user can flood the pendingStakes array with numerous low-valued stakes.

it("DOS of LiquidationPool", async () => {

await TST.mint(attacker.address, 1000000);

await TST.connect(attacker).approve(LiquidationPool.address, 1000000);

for (let i = 0; i < 1000; i++) {

await LiquidationPool.connect(attacker).increasePosition(1, 0);

}

});

Impact

The LiquidithPool contract is integral to the protocol, especially in the liquidation process. The DOS vulnerability has several significant impacts:

consolidatePendingStakes becomes inoperable, affecting increasePosition, decreasePosition, and distributeAssets.
decreasePosition, distributeAssets, and distributeFees also become inoperable, trapping tokens in the liquidationPool.
The inoperability of distributeFees and distributeAssets hinders the liquidation process.

The severity of this attack is high due to the potential for funds to be trapped in the contract. The likelihood of exploitation is also high, given the low cost of executing the attack.

Tools Used

Manual Review

Recommendations

Several mitigations can be implemented:

Enforce a minimum amount requirement for each deposit to prevent positions with very low values.
Aggregate positions from the same msg.sender to reduce the number of entries in the pendingStakes array.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

pendingstake-dos

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

pendingstake-high

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!