Possible OOG Reverts When Trying to `removeManager()`
Summary
The function findManagerIndex in the StabilityPool contract lacks a mechanism to limit the number of managers added, which can lead to an Out of Gas (OOG) error during execution. This vulnerability arises from the potential for an unbounded loop that iterates through the managerList, which can grow indefinitely if not properly managed. This would lead to the DoS of removeManager()
Vulnerability Details
The findManagerIndex function is designed to locate the index of a specified manager within the managerList. The implementation is as follows:
In this function, the loop iterates through the managerList array, which can grow as managers are added. If the number of managers becomes excessively large, the loop may consume all available gas, leading to a transaction failure. This is particularly concerning in a decentralized environment where the number of managers could potentially be unbounded.
Impact
The primary impact of this vulnerability is the risk of denial of service (DoS) for the contract. If a user attempts to find a manager's index (during operations such as removeManager() ) when the managerList has grown too large, the transaction will fail due to running out of gas. This could prevent legitimate operations from being executed, such as updating allocations or removing managers, thereby affecting the overall functionality and reliability of the StabilityPool contract.
Tools Used
Manual Review
Recommendations
To mitigate the risk of an OOG error in the findManagerIndex function, the following recommendations are proposed:
-
Limit the Number of Managers: Introduce a maximum cap on the number of managers that can be added to the
managerList. This can be enforced in theaddManagerfunction:uint256 public constant MAX_MANAGERS = 100; // Example capfunction addManager(address manager, uint256 allocation) external onlyOwner validAmount(allocation) {if (managerList.length >= MAX_MANAGERS) revert MaxManagersExceeded();// ... existing code ...} -
Use a Mapping for Manager Indices: Instead of iterating through an array, maintain a mapping that directly associates manager addresses with their indices. This allows for O(1) access time:
mapping(address => uint256) private managerIndices;function addManager(address manager, uint256 allocation) external onlyOwner validAmount(allocation) {// ... existing code ...managerIndices[manager] = managerList.length; // Store index}function findManagerIndex(address manager) internal view returns (uint256) {if (managerIndices[manager] == 0 && !managers[manager]) revert ManagerNotFound();return managerIndices[manager];} -
Implement Proper Error Handling: Ensure that the contract gracefully handles cases where the maximum number of managers is reached, providing clear feedback to users.
By implementing these recommendations, the StabilityPool contract can enhance its robustness and prevent potential denial of service attacks due to gas exhaustion.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.