Submission Details
Severity:
Denial of Service (DoS) in distributeProtocolAssetReward Function
Summary
The distributeProtocolAssetReward function in the MarketMakingEngineConfiguration.sol contract is vulnerable to a potential Denial of Service (DoS) attack due to its unbounded loop over the protocolFeeRecipients map. This can lead to excessive gas consumption and transaction failures, especially when the number of fee recipients is large.
Vulnerability Details
The issue is located in the following code snippet:
https://github.com/Cyfrin/2025-01-zaros-part-2/blob/39e33b2f6b3890573bb1affc41a7e520277ceb2c/src/market-making/leaves/MarketMakingEngineConfiguration.sol#L60-L89
The function iterates over all entries in the protocolFeeRecipients map without any bounds, which can lead to excessive gas consumption and potential transaction failures if the number of entries is large.
Impact
The impact of this issue is that it can lead to excessive gas consumption and transaction failures, potentially causing a Denial of Service (DoS) for users interacting with the contract. This can prevent users from performing essential operations such as distributing protocol rewards.
Tools Used
manual
Recommendations
To mitigate this issue, it is recommended to use the pull-over-push pattern and add offset and limit parameters to the distributeProtocolAssetReward function to allow for bounded iteration over the protocolFeeRecipients map. This can be achieved by implementing the following changes:
Add offset and limit parameters to the function signature.
Modify the loop to iterate only within the specified range.
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821 USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.