c4-pre-sort
commented
8 months ago alex-ppg marked the issue as primary issue
Open c4-bot-10 opened 8 months ago
c4-pre-sort
commented
8 months ago alex-ppg marked the issue as primary issue
c4-pre-sort
commented
8 months ago alex-ppg marked the issue as sufficient quality report
c4-sponsor
commented
8 months ago kupermind (sponsor) confirmed
c4-judge
commented
7 months ago dmvt marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-12-autonolas/blob/main/lockbox-solana/solidity/liquidity_lockbox.sol#L140-L190
Vulnerability details
Impact
The
liquidity_lockboxcontract does not enforce a minimum deposit limit. This allows a user to open many positions with minimum liquidity, forcing other users to close these positions one by one in order to withdraw. This could lead to a griefing attack where the transaction cost accounts for a large portion of the withdrawn amount.While transactions on Solana are cheap and it is difficult to assess the cost of a withdrawal as the external call on line fails, an accumulation of small deposits as portrayed will in any case disrupt contract operations by making substantial fund withdrawals labor-intensive.
The root cause of this issue is the lack of a minimum deposit threshold in the
deposit()function inlockbox-solana/solidity/liquidity_lockbox.sol.Proof of Concept
Consider the following scenario:
liquidity_lockboxcontract.Tools Used
Manual review
Recommended Mitigation Steps
To mitigate this issue, a minimum deposit threshold should be implemented in the
deposit()function. This would prevent users from opening positions with minimum liquidity and protect other users from potential griefing attacks. The threshold should be carefully chosen to balance the need for user flexibility and the protection against potential attacks. Additionally, consider implementing a mechanism to batch close positions to further protect against such scenarios.Assessed type
Other