search

code-423n4 / 2024-01-curves-findings

1 stars 0 forks source link

`_addOwnedCurvesTokenSubject()` loop limit #1473

Closed c4-bot-8 closed 10 months ago

c4-bot-8 commented 10 months ago

Lines of code

https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L328-L336

Vulnerability details

Impact

The ownedCurvesTokenSubjects list may grow too long and break loop limits, preventing a user from buying new tokens or depositing and withdrawing. This may happen to oneself through normal usage, or be caused deliberately and maliciously to someone else.

Proof of Concept

_addOwnedCurvesTokenSubject() loops through a ownedCurvesTokenSubjects list and pushes a subject to it (if not a duplicate). _addOwnedCurvesTokenSubject() is called whenever a new token is bought, or tokens are deposited or withdrawn (via _transfer()). This list can only grow, and may therefore eventually break, impede, or render costly, said functionalities.

This can happen not only through normal usage, but may be deliberately caused to someone by a malicious actor. An attacker can grief a victim by spamming him with many new tokens using transferCurvesToken() which adds these to the victim's ownedCurvesTokenSubjects list.

Recommended Mitigation Steps

Reconsider the utility/necessity of using a list in order to be able to transferAllCurvesTokens().

Assessed type

Loop

c4-pre-sort commented 10 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #72

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #1116

c4-judge commented 9 months ago

alcueca marked the issue as partial-75

c4-judge commented 9 months ago

alcueca marked the issue as satisfactory

c4-judge commented 9 months ago

alcueca changed the severity to 3 (High Risk)