Event Spamming Vulnerability in sendProfit Function Due to Zero Amount Transfers
Summary
In the |sendProfit function, a zero amount can be passed, triggering an unnecessary Profit event. This could enable malicious actors to spam the Profit event at no cost, which may cause log bloat and unnecessary strain on monitoring services.
Vulnerability Details
Impact
The function sendProfit lacks validation for a non-zero amount parameter. This allows a user to call sendProfit with amount = 0, which will not distribute any profits to token holders but will still emit a Profit event. This could lead to event spamming at no cost to the caller.
Tools Used
Event spamming: A malicious user can call sendProfit with amount = 0 repeatedly to create unnecessary Profit events. This may lead to:
Log bloat, which can hinder the monitoring and analysis of legitimate profit distributions.
Increased costs for infrastructure that monitors and processes events on the blockchain.
Recommendations
Add a check to ensure that amount > 0 before proceeding with profit distribution and event emission
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.