In the Chief contract, the setPermissionlessDeployments function allows any user to deploy vaults. If this is allowed, a malicious user could create a large number of vaults, breaking the functionality of the pauseForceAllVaults, unpauseForceAllVaults, pauseActionInAllVaults, and unpauseActionInAllVaults functions, as these functions iterate over the array of vaults using a for loop ending in out of gas error
With the permissionlessDeployments allowed, the attacker use the deployVault function to deploy a large number of vaults.
The pauseForceAllVaults, unpauseForceAllVaults, pauseActionInAllVaults, and unpauseActionInAllVaults functions can't execute the transaction because they would run out of gas
The timelock could use the setVaults to fix this bug but it's laborious and expensive
Git branch: M03
Affected smart contract
https://github.com/Fujicracy/fuji-v2/blob/1b939ec84af137db430fc2aa1b4c6f15e5254003/packages/protocol/src/Chief.sol#L289-L298 https://github.com/Fujicracy/fuji-v2/blob/1b939ec84af137db430fc2aa1b4c6f15e5254003/packages/protocol/src/Chief.sol#L300-L309 https://github.com/Fujicracy/fuji-v2/blob/1b939ec84af137db430fc2aa1b4c6f15e5254003/packages/protocol/src/Chief.sol#L311-L326 https://github.com/Fujicracy/fuji-v2/blob/1b939ec84af137db430fc2aa1b4c6f15e5254003/packages/protocol/src/Chief.sol#L328-L343 https://github.com/Fujicracy/fuji-v2/blob/1b939ec84af137db430fc2aa1b4c6f15e5254003/packages/protocol/src/Chief.sol#L362-L375 https://github.com/Fujicracy/fuji-v2/blob/1b939ec84af137db430fc2aa1b4c6f15e5254003/packages/protocol/src/Chief.sol#L399-L419
Description
In the Chief contract, the
setPermissionlessDeployments
function allows any user to deploy vaults. If this is allowed, a malicious user could create a large number of vaults, breaking the functionality of thepauseForceAllVaults
,unpauseForceAllVaults
,pauseActionInAllVaults
, andunpauseActionInAllVaults
functions, as these functions iterate over the array of vaults using a for loop ending in out of gas errorAttack scenario
With the
permissionlessDeployments
allowed, the attacker use thedeployVault
function to deploy a large number of vaults. ThepauseForceAllVaults
,unpauseForceAllVaults
,pauseActionInAllVaults
, andunpauseActionInAllVaults
functions can't execute the transaction because they would run out of gasThe timelock could use the
setVaults
to fix this bug but it's laborious and expensiveRecommendation
Add functions to pause an array of vaults: