Submission Details
Severity:
Unbounded Array Growth in StabilityPool Manager System
Summary
StabilityPool's manager array can grow indefinitely, leading to gas limit issues and blocking manager removal.
Vulnerability Details
There is no check when adding a new manager to the total length of the array.
//StabilityPool
function addManager(address manager, uint256 allocation) external onlyOwner {
if (managers[manager]) revert ManagerAlreadyExists();
managers[manager] = true;
managerAllocation[manager] = allocation;
totalAllocation += allocation;
managerList.push(manager); // Unbounded array growth, no check if iterations will exceed gas limits
emit ManagerAdded(manager, allocation);
}
function removeManager(address manager) external onlyOwner {
// Must iterate entire array
_removeManagerFromList(manager);
}
function _removeManagerFromList(address manager) private {
uint256 managerIndex = findManagerIndex(manager);
uint256 lastIndex = managerList.length - 1;
if (managerIndex != lastIndex) {
managerList[managerIndex] = managerList[lastIndex];
}
managerList.pop();
}
Impact
If the total length exceed gasLimit, it will become impossible to remove manager after.
Tools Used
Manual
Recommendations
Add a limit to managers array
uint256 public constant MAX_MANAGERS = 100;
function addManager(address manager, uint256 allocation) external onlyOwner {
require(managerList.length < MAX_MANAGERS, "Too many managers");
// ...
}
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.