DoS via Withdrawal Queue Manipulation
Summary
The WithdrawalPool::_finalizeWithdrawals() function iterates over the queuedWithdrawals array to process withdrawals. However, the queuedWithdrawals array can be maliciously manipulated by repeatedly withdrawing small amounts, such as 1 wei, which significantly increases the array's size. This can result in excessive gas consumption, effectively making it impossible to process new withdrawals or deposits, leading to a Denial of Service attack on the deposit.
Vulnerability Details
In the PriorityPool::_withdraw() function, if the totalQueued is zero, any withdrawal will be added to the queuedWithdrawals array via the WithdrawalPool::queuedWithdrawals() function. Since there is no minimum restriction on the amount of tokens a user can withdraw, malicious actors can submit multiple withdrawals of just 1 wei, inflating the size of the queuedWithdrawals array.
When the WithdrawalPool::_finalizeWithdrawals() function attempts to process withdrawals by iterating through the queuedWithdrawals array, the excessive number of entries will consume all available gas, causing the transaction to fail.
Impact
The _finalizeWithdrawals() will be called during the deposit and performUpkeep process, which can be DoSed.
Tools Used
vscode
Recommendations
Limiting the number of iterations in a single transaction to avoid excessive gas consumption.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.