Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

User can DoS protocol by spamming `TradingAccountBranch::createTradingAccount`

mrcrownft

Summary

In order to start trading, the user must first create an account, however, there is no limit on how many accounts a single user can have, and since it's costless, a malicious user can repeatedly call createTradingAccount and DoS the protocol.

Vulnerability Details

You may add the following proof of code to createTradingAccount.t.sol to corroborate the previusly stated issue.

function test_UserCanCreateUnlimitedAccounts() external givenTheTradingAccountTokenIsSet {

vm.expectEmit({ emitter: address(perpsEngine) });

emit TradingAccountBranch.LogCreateTradingAccount(1, users.naruto.account);

perpsEngine.createTradingAccount(bytes(""), false);

vm.expectEmit({ emitter: address(perpsEngine) });

emit TradingAccountBranch.LogCreateTradingAccount(10, users.naruto.account);

uint128 tradingAccountId = perpsEngine.createTradingAccount(bytes(""), false);

assertEq(tradingAccountId, 10);

}

Impact

The protocol can be DoS by malicius user spamming createTradingAccount, making it impossible for other users to interact with it.

Tools Used

Manual review

Recommendations

Consider adding a maximum number of accounts per address, if it's more than one, you may add a mapping address(user)=>accounts[ ], as well as a check of said max in createTradingAccount, so that it reverts if maximum amount is reached. You could also add a cooldown time between the creation of accounts by the same user.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!