Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

unlimited number of accounts can be added to the accounts array, can lead to DoS

0xtheblackpanther

Summary

The PriorityPool contract allows an unlimited number of accounts to be added to the accounts array, potentially leading to scalability issues and increased vulnerability to DoS attacks.

Impact

  • High gas costs for operations that iterate over all accounts

  • Potential DoS vulnerability

  • Increased storage costs

  • Scalability challenges for off-chain processes dealing with Merkle tree generation

Where is the issue and what causes it?

The issue is in the _deposit function:

function _deposit(address _account, uint256 _amount, bool _shouldQueue, bytes[] memory _data) internal {
...
if (_shouldQueue) {
_requireNotPaused();
if (accountIndexes[_account] == 0) {
accounts.push(_account);
accountIndexes[_account] = accounts.length - 1;
}
...
}
...
}

This function adds new accounts to the accounts array without any upper limit. The root cause is the lack of a maximum cap on the number of accounts that can be added to the pool.

Proof of concept

An attacker could create numerous small deposits from different addresses:

for (uint i = 0; i < 1000; i++) {
address newAccount = address(uint160(i + 1));
priorityPool.deposit(1, true, new bytes[](0)); // Assuming a minimum deposit of 1 token
}

This would add 1000 new accounts to the accounts array, potentially making operations like getAccountData() prohibitively expensive.

Recommendations

  1. Implement a maximum limit on the number of accounts:

uint256 public constant MAX_ACCOUNTS = 10000; // Example limit
function _deposit(...) internal {
...
if (_shouldQueue) {
_requireNotPaused();
if (accountIndexes[_account] == 0) {
require(accounts.length < MAX_ACCOUNTS, "Max accounts reached");
accounts.push(_account);
accountIndexes[_account] = accounts.length - 1;
}
...
}
...
}

  1. Introduce a minimum deposit amount to discourage creation of many small deposits.

  2. Implement a mechanism to remove inactive accounts periodically, freeing up space for new active users.

  3. Consider using a more gas-efficient data structure for managing accounts, such as a mapping with a separate array for active account addresses.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Too generic

Appeal created

0xtheblackpanther Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.