The functions launch() and claimRefund() in ILOManager.sol may fail due to unbounded loop over initializedPools.length.
the array of addresses initializedPools can get very big due to the function initILOPool which pushes many iloPoolAddress inside _initializedILOPools[params.uniV3Pool]. There is no restriction on how may addresses can be pushed.
_initializedILOPools[uniV3PoolAddress] can get very huge and may cause dos condition where no projects can be launched due to exceed of gas limit.Similar with the claimRefund() function.
Proof of Concept
dos in launch()
function launch(address uniV3PoolAddress) external override {
require(block.timestamp > _cachedProject[uniV3PoolAddress].launchTime, "LT");
(uint160 sqrtPriceX96, , , , , , ) = IUniswapV3Pool(uniV3PoolAddress).slot0();
require(_cachedProject[uniV3PoolAddress].initialPoolPriceX96 == sqrtPriceX96, "UV3P");
address[] memory initializedPools = _initializedILOPools[uniV3PoolAddress];
require(initializedPools.length > 0, "NP");
//@audit dos, unbounded for lop
for (uint256 i = 0; i < initializedPools.length; i++) {
IILOPool(initializedPools[i]).launch();
}
emit ProjectLaunch(uniV3PoolAddress);
}
>dos in `claimRefund()`
```javascript
function claimRefund(address uniV3PoolAddress) external override onlyProjectAdmin(uniV3PoolAddress) returns(uint256 totalRefundAmount) {
require(_cachedProject[uniV3PoolAddress].refundDeadline < block.timestamp, "RFT");
address[] memory initializedPools = _initializedILOPools[uniV3PoolAddress];
for (uint256 i = 0; i < initializedPools.length; i++) {
totalRefundAmount += IILOPool(initializedPools[i]).claimProjectRefund(_cachedProject[uniV3PoolAddress].admin);
}
//@audit is any event mising + yes, projectRefund event
}
Tools Used
Manual Review
Recommended Mitigation Steps
Setting an limit on how many addresses can be pushed inside _initializedILOPools[uniV3PoolAddress] should work.
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOManager.sol#L187 https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOManager.sol#L193 https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOManager.sol#L201 https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOManager.sol#L204
Vulnerability details
Impact
The functions
launch()
andclaimRefund()
inILOManager.sol
may fail due to unbounded loop overinitializedPools.length
.the array of addresses
initializedPools
can get very big due to the functioninitILOPool
which pushes manyiloPoolAddress
inside_initializedILOPools[params.uniV3Pool]
. There is no restriction on how may addresses can be pushed._initializedILOPools[uniV3PoolAddress]
can get very huge and may cause dos condition where no projects can be launched due to exceed of gas limit.Similar with theclaimRefund()
function.Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Setting an limit on how many addresses can be pushed inside
_initializedILOPools[uniV3PoolAddress]
should work.Assessed type
DoS