The Standard

Summary

The increasePosition function in the smart contract is vulnerable to a Denial of Service (DOS) attack. An attacker could exploit this by repeatedly calling the function with minimal values (e.g., 0 for one value and 1 wei for the other) using different addresses. Each call would add a new entry to the holders' list, potentially clogging the system.

Vulnerability Details

The function allows for an increase in position with _tstVal and _eurosVal parameters. It checks that at least one of these values is greater than 0 before proceeding. However, there's no lower bound on how significant this value must be. This oversight can be exploited by repeatedly calling increasePosition with minimal values (like 0 and 1 wei), each time using a different address. Every such call results in the execution of addUniqueHolder(msg.sender), adding the address to the holders' list. An attacker can use this to flood the contract with numerous minimal stake holders, potentially leading to performance issues or even making the contract unusable due to excessive gas costs or exceeding storage limits.

Impact

This vulnerability could lead to a DOS condition where legitimate users are unable to interact with the contract effectively due to the excessive number of holders. The performance of the contract can degrade significantly, and important functions that iterate over the holders' list may become too costly in terms of gas, or even fail if they exceed block gas limits.

Tools Used

Manual Review

Recommendations

Implement rate-limiting measures to restrict the frequency at which a single address can call increasePosition. This would help prevent an attacker from using a single address to continuously add minimal stakes.