Closed code423n4 closed 2 years ago
While it is technically true that the number of components on a setToken is not limited, the above outlined issue should not be a big issue in practice since, since the manager can add components and would have to wilfully add a large amount of tokens. Also I don't think the set token would be permanently unusable / "bricked" in this case since the manager could reduce the number of components again for example by redeeming fCash positions one by one.
Assuming a malicious set token manager, this manager might be able to create a state where users are unable to mint / redeem their tokens. However since such a set token manager would also be able to deploy arbitary IERC20 contracts and could probably add those as a set token component using one of the other trade modules, this risk might be unavoidable in the given set architecture.
I will have to check with the guys from SetProtocol if this is a known and accepted risk or see if there is a good mitigation strategy.
Consider with #164
Lines of code
https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/index-coop-notional-trade-module/contracts/protocol/modules/v1/NotionalTradeModule.sol#L385 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/index-coop-notional-trade-module/contracts/protocol/modules/v1/NotionalTradeModule.sol#L309
Vulnerability details
Proof-of-Concept
The SetToken does not impose any upper limit on the number of positions that can be added. Thus, it is possible for the manager for add large number of positions to the SetToken until a point where an "Out of Gas" error or a "Block Gas Limit" error happens when the
_redeemMaturedPositions
function is executed.https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/index-coop-notional-trade-module/contracts/protocol/modules/v1/NotionalTradeModule.sol#L385
The setToken issuance and redemption depend on the proper operation of
_redeemMaturedPositions
function. Thus, if the_redeemMaturedPositions
function is broken, the SetToken is unusable and is "bricked" since no issuance and redemption can be done.https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/index-coop-notional-trade-module/contracts/protocol/modules/v1/NotionalTradeModule.sol#L309
Recommended Mitigation Steps
Define a max number of positions that can be added to the SetToken, and have the positions's length checked.
Alternatively, if the protocol decides not to limit the number of positions that a SetToken can hold, consider implement additional
_redeemMaturedPositions
function that allows users to redeem the positions in batches instead of redeeming all positions at one go.