Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

DoS when using values of Enumerable Set

petersr

Summary

collateralLiqudationPriority and activeMarketIds are EnumerableSets. During state modification, the values function is called for both sets, which copies all set values to memory.

Vulnerability Details

The issue arises if one of these sets grows large enough to cause a Denial of Service (DoS). The inline documentation for the values() function states:

WARNING: This operation will copy the entire storage to memory, which can be quite expensive. This is designed
to mostly be used by view accessors that are queried without any gas fees. Developers should keep in mind that
this function has an unbounded cost, and using it as part of a state-changing function may render the function
uncallable if the set grows to a point where copying to memory consumes too much gas to fit in a block.

Additionally, both functions that use these set values perform numerous operations, increasing the likelihood of a DoS.

Impact

The protocol will become unusable as it will be impossible to remove a collateral priority from the list and liquidate some accounts.

Tools Used

Manual review

Recommendations

Implement a size limitation for both sets to prevent a DoS scenario.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.