Benchmarks help in understanding the computational and storage costs of executing an extrinsic. But in the Omnipool pallet, there is no benchmarking applied.
The weight is being calculated without considering the size of registered assets (line 458, line 1967) when checking for an existing asset, which means the weight could be underestimated.
Missing or Incorrect benchmarking can slow down the network and allow attackers to spam the system by continuously calling under-benchmarked extrinsics at lower-than-actual costs.
Lines of code
https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/omnipool/src/lib.rs#L447-L458 https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/omnipool/src/lib.rs#L1965-L1967
Vulnerability details
Impact
Benchmarks help in understanding the computational and storage costs of executing an extrinsic. But in the Omnipool pallet, there is no benchmarking applied.
The weight is being calculated without considering the size of registered assets (line 458, line 1967) when checking for an existing asset, which means the weight could be underestimated.
Missing or Incorrect benchmarking can slow down the network and allow attackers to spam the system by continuously calling under-benchmarked extrinsics at lower-than-actual costs.
Proof of Concept
https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/omnipool/src/lib.rs#L447-L458
https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/omnipool/src/lib.rs#L1965-L1967
Tools Used
Manual review
Recommended Mitigation Steps
Perform benchmarks using worst-case scenario conditions to ensure accurate weight calculation, as demonstrated in the provided code snippet below.
Assessed type
Other