Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Gas Exhaustion DoS Attacks Thro Unbounded Looping in Batch Functions

pengu

Summary

The AaveDIVAWrapper contract contains batch functions such as batchRegisterCollateralToken and batchCreateContingentPool that iterate over unbounded input arrays. This lack of size limitation exposes the protocol to Denial of Service (DoS) attacks via gas exhaustion, disrupting essential administrative operations and protocol scalability.

Detailed Analysis

Root Cause

Unrestricted looping in batch functions processes input arrays without size validation, making them vulnerable to transactions that exceed the block gas limit:

function batchRegisterCollateralToken(
address[] calldata _collateralTokens
) external override onlyOwner nonReentrant returns (address[] memory) {
uint256 _length = _collateralTokens.length;
address[] memory _wTokens = new address[]();
for (uint256 i = 0; i < _length; i++) {
_wTokens[i] = _registerCollateralToken(_collateralTokens[i]);
}
return _wTokens;
}

  • Unbounded Loops: The function processes all elements in _collateralTokens without any limit.

  • Gas Limit Sensitivity: Large input arrays can cause the transaction to exceed the block gas limit, reverting the entire operation.

Attack Scenarios

Scenario 1: Denial of Service via Gas Exhaustion

  1. Setup:

    • An attacker or a legitimate user submits a transaction with an excessively large input array (e.g., 500+ tokens).

  2. Execution:

    • The batch function iterates over the input array, consuming increasing amounts of gas for each iteration.

    • Once the transaction’s gas consumption exceeds the block gas limit, it reverts.

  3. Impact:

    • Operational Halt: Legitimate administrative actions like registering collateral tokens or creating pools are blocked.

    • Gas Wastage: Failed attempts to process large batches lead to unnecessary gas fees.

Scenario 2: Indirect Exploitation

  1. Setup:

    • An attacker identifies the absence of batch size limits.

  2. Execution:

    • The attacker submits repeated large input arrays to intentionally cause transaction failures.

    • This delays legitimate operations and frustrates administrators.

  3. Impact:

    • Reduced Scalability: The protocol becomes unable to handle large-scale updates efficiently.

    • Reputation Damage: Users and stakeholders lose confidence in the protocol’s robustness.

Impact

Severity: High

  1. DoS Potential: Attackers can exploit the unbounded loops to disrupt key protocol functions.

  2. Economic Loss: Repeated failed transactions incur significant gas costs for administrators and users.

  3. Scalability Challenges: Unrestricted loops hinder the protocol’s ability to handle large-scale operations effectively.

Recommendations

1. Implement Batch Size Limits

Limit the maximum allowable size of input arrays to prevent gas exhaustion:

uint256 constant MAX_BATCH_SIZE = 100;
function batchRegisterCollateralToken(
address[] calldata _collateralTokens
) external override onlyOwner nonReentrant returns (address[] memory) {
require(_collateralTokens.length <= MAX_BATCH_SIZE, "Batch size exceeds limit");
uint256 _length = _collateralTokens.length;
address[] memory _wTokens = new address[]();
for (uint256 i = 0; i < _length; i++) {
_wTokens[i] = _registerCollateralToken(_collateralTokens[i]);
}
return _wTokens;
}

2. Optimize Loop Efficiency

Minimize gas usage per iteration by avoiding unnecessary storage writes:

  • Use memory variables for interim calculations.

  • Reduce function calls within loops where possible.

3. Provide Array Splitting Guidance

Advise administrators to split large batches into smaller, manageable transactions. Develop frontend tools to automate array splitting.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.