The SurplusGuildMinter.claimRewards function loops and claims all rewards from active lending terms delegated by this contract. Consequently, this function can run out of gas and revert, potentially causing a DoS state on other functions of SurplusGuildMinter. This situation may occur when the market has numerous lending terms, and users stake in many of them.
Proof of Concept
In the SurplusGuildMinter contract, getRewards function is used to claim and transfer rewards from a lending term (gauge) to the user. However, it calls the claimRewards function from the ProfitManager contract, which loops and claims rewards from all delegated lending terms of this contract. That action is unnecessary because it only needs to claim the reward of a specific term, resulting in the risk of reverting due to running out of gas for this function.
function getRewards(
address user,
address term
)...
{
...
ProfitManager(profitManager).claimRewards(address(this));
...
}
function claimRewards(
address user
) external returns (uint256 creditEarned) {
address[] memory gauges = GuildToken(guild).userGauges(user);
for (uint256 i = 0; i < gauges.length; ) {
creditEarned += claimGaugeRewards(user, gauges[i]);
unchecked {
++i;
}
}
}
Tools Used
Manual review
Recommended Mitigation Steps
getRewards function should call claimGaugeRewards function instead of claimRewards:
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SurplusGuildMinter.sol#L141
Vulnerability details
Impact
The
SurplusGuildMinter.claimRewards
function loops and claims all rewards from active lending terms delegated by this contract. Consequently, this function can run out of gas and revert, potentially causing a DoS state on other functions of SurplusGuildMinter. This situation may occur when the market has numerous lending terms, and users stake in many of them.Proof of Concept
In the SurplusGuildMinter contract,
getRewards
function is used to claim and transfer rewards from a lending term (gauge) to the user. However, it calls theclaimRewards
function from the ProfitManager contract, which loops and claims rewards from all delegated lending terms of this contract. That action is unnecessary because it only needs to claim the reward of a specific term, resulting in the risk of reverting due to running out of gas for this function.Tools Used
Manual review
Recommended Mitigation Steps
getRewards
function should callclaimGaugeRewards
function instead ofclaimRewards
:Assessed type
DoS