Respx - Carousel rollover queues can become clogged with small items

[sherlock-admin]

Respx

medium

Carousel rollover queues can become clogged with small items

Summary

Low value items in the rollover queue are not processed, but remain in the queue and are reprocessed with each epoch. This will add gas fees to the cost of processing every epoch and could even make rollovers non-viable.

Vulnerability Detail

The critical section of code is inside the loop in Carousel.mintRollovers() where queue items with a value below relayerFee are skipped, but not removed.

Although there are measures to prevent rollover items with a value below relayerFee from being directly added to the rollover queue, it can still happen if the value of relayerFee is increased.

If a sufficiently large number of items of this kind accumulate in the queue, either as a result of a denial of service attack or through a Carousel running for a very long time, then the gas cost of processing rollovers could increase significantly.

Impact

With a sufficiently large number of clogging entries, the gas fee for processing rollovers could become prohibitively expensive and relayers would no longer process them. This could lead to an increase in the value of relayerFee which would only make the situation worse. Eventually, the Carousel would need to be abandoned.

Code Snippet

https://github.com/Y2K-Finance/Earthquake/blob/736b2e1e51bef6daa6a5ecd1decb7d156316d795/src/v2/Carousel/Carousel.sol#L403-L406

                    if (queue[index].assets < relayerFee) {
                        index++;
                        continue;
                    }

Tool used

Manual Review

Recommendation

Consider allowing items in the rollover queue with a value below relayerFee to be delisted and refunded to any user if they have been in the queue for a long time.

Duplicate of #172