No limit of withdrawal queue size can cause DoS
Summary
In PriorityPool contract, when withdrawals happen, it's added to the withdraw queue so that it can be processed later through finalization. However, the array size is limitless, which will result in DoS when it grows big enough so that it can't be processed in one transaction.
Vulnerability Details
In PriorityPool contract, when a withdrawal happens, it first checks if there is any deposits queued so that it can process the withdrawal immediately. Otherwise, it adds the withdrawal information to a withdrawal queue through WithdrawalPool, which eventually adds it to an array.
Later, when _finalizeWithdrawal is called through performUpkeep for example, it iterates through the withdrawal array and process withdrawals one by one. This means that if the withdrawal array size is big enough, the transaction will revert eventually.
A malicious attacker can grow the size of array by requesting multiple withdrawal actions with minimum withdrawal amount.
Impact
Temporary(or long-term based on situation) DoS in withdrawal actions.
Tools Used
Manual Review
Recommendations
The size of withdrawal queue has to be limited so that the array size does not grow big.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.