c4-pre-sort
commented
6 months ago 0xRobocop marked the issue as insufficient quality report
Closed c4-bot-5 closed 6 months ago
c4-pre-sort
commented
6 months ago 0xRobocop marked the issue as insufficient quality report
c4-judge
commented
6 months ago OpenCoreCH marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/omnipool/src/lib.rs#L447-L458 https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/omnipool/src/lib.rs#L1965-L1967
Vulnerability details
Impact
Benchmarks help in understanding the computational and storage costs of executing an extrinsic. But in the Omnipool pallet, there is no benchmarking applied.
The weight is being calculated without considering the size of registered assets (line 458, line 1967) when checking for an existing asset, which means the weight could be underestimated.
Missing or Incorrect benchmarking can slow down the network and allow attackers to spam the system by continuously calling under-benchmarked extrinsics at lower-than-actual costs.
Proof of Concept
https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/omnipool/src/lib.rs#L447-L458
https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/omnipool/src/lib.rs#L1965-L1967
Tools Used
Manual review
Recommended Mitigation Steps
Perform benchmarks using worst-case scenario conditions to ensure accurate weight calculation, as demonstrated in the provided code snippet below.
Assessed type
Other