First Flight #21: KittyFi

First Flight #21

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Potential DoS Vulnerability and Math Issues in getUserMeowllateralInEuros Function

soloking

Summary

The getUserMeowllateralInEuros function calculates the total collateral of a user across all vaults by iterating through the vaults array. If the array is too large, this can result in excessive gas consumption, leading to potential DoS attacks. Additionally, unchecked arithmetic can lead to overflow issues when summing large collateral values. Proper bounds checking and overflow protections are necessary to ensure the function's reliability and security.

Vulnerability Details

function getUserMeowllateralInEuros(address _user) public view returns (uint256 totalUserMeowllateral) {

uint256 vault_length = vaults.length;

for (uint256 i; i < vault_length; ) {

totalUserMeowllateral += IKittyVault(vaults[i]).getUserVaultMeowllateralInEuros(_user);

unchecked {

++i;

}

Issues Identified

Denial of Service (DoS) Attack:
- Unbounded Loop: The function iterates over the entire vaults array, and if the array is very large, it can lead to high gas consumption and potential out-of-gas errors.
- DoS by Large Arrays: An attacker can exploit this by adding a large number of vaults, causing the function to fail due to excessive gas usage.
Math Issues:
- Unchecked Arithmetic: Although the loop uses unchecked { ++i; }, which prevents overflow, there is no explicit check for the accumulated value of totalUserMeowllateral, which could result in overflow for large values.

Impact

The lack of bounds on the vaults array can lead to DoS attacks, where the function becomes unusable due to high gas costs. Additionally, unchecked arithmetic can cause overflow, leading to incorrect calculations and potential vulnerabilities in the system.

Tools Used

Manual

Recommendations

To mitigate these issues, implement bounds checking on the vaults array size and add overflow checks when summing up collateral values.

function getUserMeowllateralInEuros(address _user) public view returns (uint256 totalUserMeowllateral) {

uint256 vault_length = vaults.length;

require(vault_length <= MAX_VAULTS, "Too many vaults to process");

for (uint256 i = 0; i < vault_length; ) {

uint256 userVaultMeowllateral = IKittyVault(vaults[i]).getUserVaultMeowllateralInEuros(_user);

require(totalUserMeowllateral + userVaultMeowllateral >= totalUserMeowllateral, "Overflow detected"); // Overflow check

totalUserMeowllateral += userVaultMeowllateral;

unchecked {

++i;

}

Updates

Lead Judging Commences

shikhar229169 Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

224

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.