Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

massUpdatePools() is susceptible to DoS with block gas limit #197

Open
code423n4 opened this issue May 24, 2022 · 5 comments
Open

massUpdatePools() is susceptible to DoS with block gas limit #197

code423n4 opened this issue May 24, 2022 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ConvexMasterChef.sol#L178-L183

Vulnerability details

Impact

massUpdatePools() is a public function and it calls the updatePool() function for the length of poolInfo. Hence, it is an unbounded loop, depending on the length of poolInfo.
If poolInfo.length is big enough, block gas limit may be hit.

Proof of Concept

https://consensys.github.io/smart-contract-best-practices/attacks/denial-of-service/#dos-with-block-gas-limit

Tools Used

Manual analysis

Recommended Mitigation Steps

I suggest to limit the max number of loop iterations to prevent hitting block gas limit.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 24, 2022
code423n4 added a commit that referenced this issue May 24, 2022
@code423n4
catchup issue #197
db02977
@0xMaharishi
Copy link

Dupe of #147

@0xMaharishi 0xMaharishi added duplicate This issue or pull request already exists disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) labels May 27, 2022
@dmvt
Copy link
Collaborator

dmvt commented Jun 23, 2022

This is not a duplicate of #147 and is also clearly documented as a potential issue in the code itself. If the admin were to accidentally add too many pools the contract would be effected, but the likelihood of this is low and if it were to happen, the admin could still turn off the pools and migrate to another contract. This would, however, effect the protocol in a severely negative way. Not fully updating all of the pools would potentially cause accounting issue and lead to loss of earned rewards. Given the impact and likelihood together, I think medium is actually a reasonable in this case.

@IllIllI000
Copy link

IllIllI000 commented Jul 9, 2022
edited
Loading

@dmvt The massUpdatePool() function was found to be non-critical in previous contests (code-423n4/2022-02-concur-findings#161) and when I filed the issue with Convex for their bug bounty, they rejected it saying it was a "non-issue" and didn't meet their criteria for a bounty. Furthermore, ConvexMasterChef.sol is not listed as in scope for this contest: https://github.com/code-423n4/2022-05-aura#contracts-of-interest

@dmitriia
Copy link

dmitriia commented Jul 9, 2022
edited
Loading

Actually the scope was all non-test contracts, https://github.com/code-423n4/2022-05-aura#repo

@dmvt
Copy link
Collaborator

dmvt commented Jul 11, 2022

@dmvt The massUpdatePool() function was found to be non-critical in previous contests (code-423n4/2022-02-concur-findings#161) and when I filed the issue with Convex for their bug bounty, they rejected it saying it was a "non-issue" and didn't meet their criteria for a bounty. Furthermore, ConvexMasterChef.sol is not listed as in scope for this contest: https://github.com/code-423n4/2022-05-aura#contracts-of-interest

Unlike the other contest, massUpdatePools() is used in this contract. I'm going to keep this as medium.

@0xMaharishi 0xMaharishi added sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") and removed sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons labels Jul 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dmvt @dmitriia @code423n4 @0xMaharishi @IllIllI000