Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

ck - Malicious depositos and relayers can cause denial of service in mintDepositInQueue #274

Closed
sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Closed

ck - Malicious depositos and relayers can cause denial of service in mintDepositInQueue #274

sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 27, 2023
edited by github-actions bot
Loading

ck

medium

Malicious depositos and relayers can cause denial of service in mintDepositInQueue

Summary

Malicious depositos and relayers can cause denial of service in mintDepositInQueue

Vulnerability Detail

An attacker could prevent other users from having their deposits minted by continually increasing the queue.

The mintDepositInQueue function clears the queue from the tail to the head:

        // queue is executed from the tail to the head
        // get last index of queue
        uint256 i = length - 1;
        while ((length - _operations) <= i) {
            // this loop impelements FILO (first in last out) stack to reduce gas cost and improve code readability
            // changing it to FIFO (first in first out) would require more code changes and would be more expensive
            _mintShares(
                queue[i].receiver,
                _epochId,
                queue[i].assets - relayerFee
            );

The attacker is able to prevent the early deposits in the queue from being cleared by frontrunning relayers with a large number of small deposits.

Ideally, relayers should be able to specify a very high number of operations to clear, but this could fail due to the loop growing too big and running out of gas.

The attacker could themselves be a relayer to reduce the cost of the attack. What they could do is make the deposits they use for the DOS be equal to or slightly larger than the relayer fee. They would then relay some of their deposits therefore getting their funds back and then repeating the process. The attack would be amplified by multiple attackers.

Whereas the DOS could eventually be resolved, it would take concerted effort as the malicious depositors could also be relayers monitoring the mempool and would continue attempting to thwart resolution.

Impact

Denial of service of deposits. The protocol team would constantly have to deal with DOS attempts.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L331-L338

Tool used

Manual Review

Recommendation

The first in last out makes this DOS a likelihood. A first in first out approach may be the better option as it solves the issue.

Duplicate of #174
@github-actions github-actions bot closed this as completed Apr 3, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Apr 3, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
@twicek twicek mentioned this issue Apr 12, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin