c4-pre-sort
commented
8 months ago gzeon-c4 marked the issue as insufficient quality report
Closed c4-bot-8 closed 8 months ago
c4-pre-sort
commented
8 months ago gzeon-c4 marked the issue as insufficient quality report
gzeon-c4
commented
8 months ago invalid
c4-judge
commented
8 months ago JustDravee marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L689
Vulnerability details
Impact
The
flashLoanfunction and potentially other functions in thePrincipalTokencontract accept a bytescalldata_data parameter, which could be exploited by an attacker to pass in a very large payload. This could lead to out-of-gas errors, causing the transaction to fail and potentially leading to network congestion.While the direct impact on the
PrincipalTokencontract may be limited due to the transaction reverting and the attacker bearing the gas costs, it could still cause temporary disruption or inconvenience to users. In extreme cases, it could contribute to network congestion.Tools Used
Manual Review
Recommended Mitigation Steps
Implement checks to limit the size of the data accepted by functions that take arbitrary bytes input. Alternatively, ensure that the contract's functions can handle large inputs without running out of gas unexpectedly. Consider adding clear documentation about the expected size limits for data inputs.
Assessed type
DoS