`increasePosition`, `decreasePosition` and `distributeAssets` functions can be DoSed via private `consolidatePendingStakes` function
Summary
consolidatePendingStakes function can be DoSed easyly and LiquidationPool::increasePosition, LiquidationPool::decreasePosition, LiquidationPool::distributeAssets functions use it. This makes the most important parts of the system unusable.
Vulnerability Details
Since there is no check for minimum staking amount, a malicious user can make multiple increasePosition requests with 1 wei amount and this will increase pendingStakes length that is used in a for loop. Even if there are no malicious users, the pendingStakes list may become larger than to exceed block gas limit within 1 day during intensive use of the system.
Impact
Permanent freeze for the LiquidationPool::increasePosition, LiquidationPool::decreasePosition and LiquidationPool::distributeAssets functions will make the system unusable.
Tools Used
Manual Review
Recommendations
Add msg.sender argument to consolidatePendingStakes function will reduse the pendingStakes.length.
Add a requirement to decreasePosition function that checks minimum stake amount and add pendingStake limit for each user.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.