Hardcoded Deposit Limit Creates DoS Risk
Summary
The protocol uses a hardcoded limit of 100 deposits per user per pool, which could lead to denial of service conditions across different chains due to varying gas costs and block gas limits.
Vulnerability Details
In the UpliftOnlyExample contract, there is a hardcoded limit of 100 deposits per user per pool:
This creates several issues:
Gas costs per opcode can change over time with network upgrades
block gas limits can change over time with chain upgrades
The protocol is designed to be deployed across multiple chains making changes in gas costs a more likely occurrence and more likely to become a problem
A fixed limit may become too low as conditions change
The hardcoded value fails to account for:
Chain-specific gas dynamics
Network upgrades that modify opcode costs
Different economic conditions across chains
Future scalability needs
Impact
DOS
The expected limit may be unattainable due to gas costs and block gas limits changing over time. Preventing users from accessing some of there positions.
Tools Used
Manual Review
Recommendations
Replace the hardcoded limit with a configurable parameter:
This allows:
Chain-specific deposit limits
Adjustment as gas costs change
Different limits for different economic conditions
Future scalability through parameter updates
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.