Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Gas Exhaustion in removeCollateralFromLiquidationPriority Function

jakefromstatefarm

Summary

The removeCollateralFromLiquidationPriority function is vulnerable to a gas exhaustion attack due to its inefficient iteration over the entire collateralLiquidationPriority set. This can prevent the removal of collateral types when the set is large, potentially leading to a denial of service.

Vulnerability Details

The removeCollateralFromLiquidationPriority function iterates over the entire collateralLiquidationPriority set to remove a specific collateral type. It removes and re-adds each collateral except the one to be removed, which is necessary to maintain the order of the set.

However, this approach is inefficient and can lead to gas exhaustion if the set contains a large number of collateral types. An attacker could exploit this by populating the set with many collateral types, causing the transaction to exceed the block gas limit and fail. This breaks the security guarantee of efficient and reliable collateral management, as it allows an attacker to prevent the removal of any collateral from the liquidation priority.

Impact

Medium because it can lead to a denial of service. By exploiting the gas exhaustion vulnerability, an attacker can prevent the removal of collateral types from the liquidation priority, disrupting the system's ability to manage collateral effectively. This can lead to operational inefficiencies and potential financial losses.

Likelihood

Medium/Low: While it requires an attacker to populate the set with a large number of collateral types, the absence of a mechanism to limit the set's size makes it feasible. The risk is higher in systems where the number of collateral types is not actively managed or limited.

Tools Used

An attacker adds a large number of collateral types to the collateralLiquidationPriority set. When the removeCollateralFromLiquidationPriority function is called, the transaction will fail due to gas exhaustion, preventing the removal of any collateral.

contract Exploit {
function populateCollateralSet(address targetContract, address[] memory collaterals) external {
for (uint256 i = 0; i < collaterals.length; i++) {
// Assume addCollateral is a function that adds a collateral to the set
targetContract.call(abi.encodeWithSignature("addCollateral(address)", collaterals[i]));
}
}
}

Recommendations

Optimize the function to avoid iterating over the entire set or implement a mechanism to limit the number of collaterals that can be added to the set. Consider using a more efficient data structure or algorithm to manage the collateral liquidation priority.

Could be two options:

  1. Limit the Number of Collaterals: Implement a mechanism to limit the number of collaterals that can be added to the set, reducing the risk of gas exhaustion.

  2. Optimize the Removal Process: Consider using a more efficient data structure or algorithm to manage the collateral liquidation priority, such as maintaining a separate mapping for quick access and removal.

function removeCollateralFromLiquidationPriority(Data storage self, address collateralType) internal {
// Check if the collateral exists
require(self.collateralLiquidationPriority.contains(collateralType), "Collateral not in priority");
// Example: Use a mapping to track positions and remove directly
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.