c4-bot-8 commented 6 months ago

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/ProfitManager.sol#L444

Vulnerability details

Impact

Since operations on a list of gauges (for eg. claimRewards) can be DOS'ed on some chains having lower block gas limits, there is a protection in place called the maxGauges which is currently set to 10.

But the problem is that SurplusGuildMinter is being set to canExceedMaxGauges in the GIP_0 deployment script. This means that the SGM can open positions in any number of gauges. If enough active lending terms (gauges) exist, then users can stake through the SGM into many gauges such that now they get added to the userGauges reference list for the SGM address. This can make the userGauges list really long and cause DOS because of not fitting into the block gas limit.

The userGauges list is being used in ProfitManager.claimRewards function which iterates over the complete list of gauges for an address and claims its rewards from there. This claimRewards function is also an important part of the SurplusGuildMinter.getRewards() function which is basically used in all functionalities of SGM.

The number of gauges in userGauges[SGM address] can be increased very easily because every time a user stakes into a new gauge in SGM, the SGM will have a new gauge added to its list. Thus, this can cause DOS on some chains, which will lead to complete bricking of the Surplus Guild Minter, probably forever.