Closed code423n4 closed 1 year ago
This is a known issue, getAllPairAddresses() is a convenience function for the UI. Same data is accessible via other functions which take an index argument or by reading the events.
No functions in the protocol rely on getAllPairAddresses for operation and so no unbounded loop consuming all gas situation can occur in the scope of this project. This function does not constitute conforming to a standard such as an EIP so no downstream protocols are unwittingly at risk for relying on this function. It would be their responsibility to read the source code of this project. Marking invalid.
Lines of code
https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairDeployer.sol#L122-L134 https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairDeployer.sol#L255
Vulnerability details
Impact
If
deployedPairsArray
has a large amount of items, calls togetAllPairAddresses()
can result in a out of gas scenario, which would result in a DoS condition while retrieving the addresses.Proof of Concept
deployedPairsArray
https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairDeployer.sol#L255
getAllPairAddresses
will run out of gas and the addresses are not going to be available to external calls.https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairDeployer.sol#L122-L134
Recommended Mitigation Steps
Consider modifying the
getAllPairAddresses()
function to accept arguments that enable pagination while iteratingdeployedPairsArray
. E.g. adding afromIndex
and atoIndex
arguments.