Potential for DoS Attack via liquidateAccounts function
Relevant GitHub Links
https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/LiquidationBranch.sol#L105-L223
Summary
A denial of service (DoS) attack can be launched by submitting a large number of invalid accounts to liquidateAccounts, causing excessive gas consumption and service disruption.
Vulnerability Details
The function does not limit the number of accounts processed or validate the accounts efficiently, allowing malicious users to submit large numbers of invalid accounts. This can lead to excessive gas consumption, causing the transaction to revert and potentially disrupting service.
Impact
Excessive Gas Consumption: Processing invalid accounts leads to high gas usage.
Denial of Service: Legitimate operations might be delayed or prevented due to excessive gas consumption and reverted transactions.
Tools Used
Manual
Recommendations
Implement Rate Limiting: Limit the number of accounts that can be processed in a single transaction.
Efficient Validation: Validate account IDs efficiently to minimize gas consumption.
Pagination: Implement pagination to spread the processing of accounts over multiple transactions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.