c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Invalid
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/main/src/rewards/rewards/FlywheelBribeRewards.sol#L37-L42
Vulnerability details
Impact
The
FlywheelBribeRewards.setRewardsDepot()function is an external permissionless function. Any malicious user can create as many ERC20 compatible contracts as possible and can call this function to set themselves asstrategiesin theFlywheelBribeRewards.rewardsDepotsmapping. Hence this could be used to add as many instances as possible to therewardsDepotsstate variable. Hence this can be used by a malicious user to increase thestorageused by the smart contract which could lead tostate bloatin theethereumstate.Proof of Concept
https://github.com/code-423n4/2023-05-maia/blob/main/src/rewards/rewards/FlywheelBribeRewards.sol#L37-L42
Tools Used
VSCode and Manual Review
Recommended Mitigation Steps
It is recommended to keep an
upperboundto the number ofrewardsDepotthat can be added to therewardsDepotsmapping via theFlywheelBribeRewards.setRewardsDepotfunction. This can be done by maintaining an incrementer inside theFlywheelBribeRewards.setRewardsDepotfunction, which will increment each time a newrewardsDepotis added to the mapping. A check should performed inside thesetRewardsDepotto make sure this incrementer value is less than theupperboundset.upperboundcan be set as aconstantand theincrementercan be set as a state variable. ThesetRewardsDepottransaction should revert if theincrementerexceeds theupperbound. This will prevent statemappingexpanding unnecessarily and forcing theethereumintostate bloat.Assessed type
Other