Malicious user can DoS another user's buying new tokens by transferring them dust from many coins due to usage of ownedCurvesTokenSubjects mapping array

[c4-bot-10]

Lines of code

https://github.com/code-423n4/2024-01-curves/blob/main/contracts/Curves.sol#L101 https://github.com/code-423n4/2024-01-curves/blob/main/contracts/Curves.sol#L328-L336

Vulnerability details

Impact

_addOwnedCurvesTokenSubject (and the underlying mapping(address => address[]) private ownedCurvesTokenSubjects;) can potentially DoS buys if an out of gas error is reached. This is because no addresses from the address[] are ever removed, even if the token balance is 0.

Proof of Concept

_addOwnedCurvesTokenSubject is used in _buyCurvesToken, used in every buy transaction. https://github.com/code-423n4/2024-01-curves/blob/main/contracts/Curves.sol#L263C14-L263C29

_transfer will add new tokens to this array https://github.com/code-423n4/2024-01-curves/blob/main/contracts/Curves.sol#L318

If a malicious user wanted to spend the time, they could buy enough tokens to DoS another user's account by simply transferring dust to them, causing this array to grow too large.

Tools Used

Manual Review

Recommended Mitigation Steps

Use OZ EnumerableSet and remove tokens from this set once the balance reaches 0 (eg: on sell)

Assessed type

DoS

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #72

[c4-pre-sort]

raymondfam marked the issue as duplicate of #1116

[c4-judge]

alcueca marked the issue as partial-75

[c4-judge]

alcueca marked the issue as satisfactory

[c4-judge]

alcueca changed the severity to 3 (High Risk)