Core Contracts

Summary

In the finalizeLiquidation function, the contract iterates over the user.nftTokenIds array to transfer each NFT to the stability pool. Since the length of nftTokenIds is unbounded, an attacker could deposit a large number of NFTs to trigger excessive gas consumption, potentially leading to transaction failure due to gas limits. This issue could result in a denial-of-service (DoS) for the liquidation finalization process.

Vulnerability Details

Within the finalizeLiquidation function, the following code snippet processes the user’s NFT collateral:

Since the array size is dynamic and can potentially be very large, the loop may consume excessive gas, causing the transaction to run out of gas and revert. This creates an opportunity for gas griefing, where an attacker deliberately causes the function to exceed the gas limit and block liquidation finalization.

Impact

• Denial of Service: The liquidation process could be delayed or blocked entirely if the transaction fails due to high gas consumption.

• Operational Disruption: Critical protocol operations involving liquidation finalization might be hindered, impacting the protocol’s overall functionality and reliability.

• Economic Exploitation: Attackers could exploit this issue to prevent liquidations, potentially allowing them to maintain undercollateralized positions.

Tools Used

Manual Audit

Recommendations

• Batch Processing: Implement batch processing for NFT transfers, limiting the number of iterations per transaction to a safe threshold.

• Gas Limit Checks: Introduce mechanisms to check and limit the number of NFTs processed in a single call.

• Alternative Data Structures: Consider using a more gas-efficient data structure or off-chain processing to handle large NFT arrays.