Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Unbounded Oracle control Loop leading to potential DOS in `BuyerAgent.sol` L237.

viquetoh

Summary:

In the Purchase() function, the loop size depends on data from Oracle. The oracle could potentially return an extremely large array of assets.

Without an upper limit on the array.length it will be risky to your contract. It could result in excessive gas consumption and a DOS attack if the oracle returns a very large array.

No limit on loop iteration or gas limits.

Vulnerability Details:

// read oracle result using the latest task id for this round
bytes memory output = oracleResult(taskId);
address[] memory assets = abi.decode(output, (address[]));
// we purchase each asset returned
for (uint256 i = 0; i < assets.length; i++) {
address asset = assets[i];

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/BuyerAgent.sol

Impact:

  1. Potential Denial Of Service attack

  2. Transaction Failures due to gas Limits.

  3. No limits on loop iterations or gas consumptions.

  4. An attacker could manipulate the Oracle result to return a very large array of assets which could cause the loop to make many external calls which could hit block gas limits
    resulting to transaction failure.

Tools Used:

Manual Review

Recommendations:

  1. Set a Maximum limit to array.length to prevent excessive looping.

  2. Avoid relying on Oracle data for controlling execution flow by using internally managed checks and validations wherever possible.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.