Temporary DOS attack on users minting and redeeming big amount using `EthenaMinting.sol`

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/EthenaMinting.sol#L97-L107 https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/EthenaMinting.sol#L162-L187 https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/EthenaMinting.sol#L194-L216

Vulnerability details

Impact

The users redeeming and minting using EthenaMinting.sol with a large amount can be vulnerable to DOS attack.

Proof of Concept

There is a limit on the max amount to redeem and mint in a block. This can be crucial to the users that are minting or redeeming the large amount. This is as follows :

1. Suppose the maxMintPerBlock is set to 20_000.
2. And a user wanting to redeem all the 20_000 tokens submits a transaction by calling EthenaMinting.sol/mint() function.
3. The attacker who has many orders with the dust amount of USDe tokens front-runs the transaction of the previous user.
4. This will cause the transaction of the previous user to revert.

Same can be in the case of EthenaMinting.sol/redeem() due maxRedeemPerBlock. This can be exploited by any user who has many orders containing small amounts of USDe to mint or redeem. All users that are minting the nearly all the amount of USDe left in the block to mint are vulnerable. Same in the case of redeeming.

Tools Used

Manual Review

Recommended Mitigation Steps

The cap on mint and redeem can be flexible for large transactions(that are comparable to the maxMintPerBlock and maxRedeemPerBlock) and not the small transactions. For example if the cap on mint is 1000 then is should be flexible to 1100 tokens for large transactions (> 600) to success if they are submitted after 500 tokens are minted.

Assessed type

DoS

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #625

[c4-judge]

fatherGoose1 marked the issue as unsatisfactory: Invalid