Anyone can DDOS vesting contract #271
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
Comments
code423n4
added
3 (High Risk)
|
Duplicate of #120 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
pauliax
Vulnerability details
Impact
Vest function can be accessed by anyone. It accepts arbitrary _beneficiary and pushes new vesting to the array of this beneficiary timelocks. As a malicious actor I can block any user by just invoking vest function with a tiny amount of vest token. The problem may arise later when it iterates over all the timelocks in a loop. This timelocks array does not have any boundaries so it eventually can grow so large as to make operations of the contract cost too much gas to fit in a block. The execution may exceed the block gas limit, consume all the gas provided, and fail.
Recommended Mitigation Steps
A simple solution would be to specify the exact timelock id (or an array of ids) when claiming or revoking the timelock. Another possible solution is to add auth restrictions on the vest function but it adds extra dependency trust on admins.
The text was updated successfully, but these errors were encountered: