As there is no check for the input amount, A malicious contract can implement a deposit function in a loop with deposit amount = 0 thus Dosing the router and losing only the gas fees.
Proof of Concept
While the attacker will not benefit financially from this attack, It will impact the router's functionality and harm the protocol's reputation.
Tools Used
Manual review
Recommended Mitigation Steps
It is crucial to ensure the input from the user is properly validated.
A minimum amount can be checked to avoid this vulnerability.
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/e3fd3c75ff994dce50d6eb66eb290d467bd494f5/chain/ethereum/contracts/THORChain_Router.sol#L131-L160
Vulnerability details
Impact
The depositWithExpiry() in the router contract is an external function used as the entry point of the protocol so, anyone can call it with any amount.
As there is no check for the input amount, A malicious contract can implement a deposit function in a loop with deposit amount = 0 thus Dosing the router and losing only the gas fees.
Proof of Concept
While the attacker will not benefit financially from this attack, It will impact the router's functionality and harm the protocol's reputation.
Tools Used
Manual review
Recommended Mitigation Steps
It is crucial to ensure the input from the user is properly validated. A minimum amount can be checked to avoid this vulnerability.
Assessed type
DoS