-
Notifications
You must be signed in to change notification settings - Fork 1
Bauer - DOS attack to getDepositQueueTVL() #332
Comments
Escalate for 10 USDC This issue is not a duplicate of #174 and should not be medium severity since the issue is located in a view function that is not used in any state changing function. As per the documentation:
|
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Escalation accepted Valid low |
This issue's escalations have been accepted! Contestants' payouts and scores will be updated according to the changes made on this issue. |
Bauer
medium
DOS attack to getDepositQueueTVL()
Summary
The getDepositQueueTVL() function will return the whole array of
depositQueue
. It will run out of gas if a malicious user deposits with small amounts for a long list of wallet addresses or there is already a lot of deposit queue.Vulnerability Detail
The getDepositQueueTVL() function needs to return the whole array of
depositQueue
in memory, which needs memory copy operation. As a result, when the list is too long, it will run out of gas.Meanwhile, a malicious can deposit with small amount for a long list of wallet addresses to increase the length of the array
depositQueue
.As a result, it creates an effective DOS to the getDepositQueueTVL() function.
Impact
The function getDepositQueueTVL() is not useful anymore when there is a DOS attack.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L690-L694
Tool used
Manual Review
Recommendation
Revise the function getDepositQueueTVL() into getDepositQueueTVL(from, to) so that we can retrieve the deposit queue within a range of indices.
The text was updated successfully, but these errors were encountered: