search

code-423n4 / 2024-06-vultisig-findings

2 stars 0 forks source link

a big number of pools will make a protocol unlaunchable and will lock the `SaleTokens` forever #85

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOManager.sol#L187-L207 https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOManager.sol#L71-L107

Vulnerability details

Impact

all protocol tokens will be locked inside the pool contracts and the project will be unlaunchable

Proof of Concept

The ILOManager::initILOPool function does not limit the number of pools, allowing a protocol to initialize an excessive number of pools. Consequently, if a project will launch an excessive amount of pools, the ILOManager::launch and ILOManager::claimRefund functions, which iterate through all pools, will always revert due to a Denial of Service (DoS) caused by the large number of initialized pools.

    /// @inheritdoc IILOManager
    function launch(address uniV3PoolAddress) external override {
        require(block.timestamp > _cachedProject[uniV3PoolAddress].launchTime, "LT");
        (uint160 sqrtPriceX96,,,,,,) = IUniswapV3Pool(uniV3PoolAddress).slot0();
        require(_cachedProject[uniV3PoolAddress].initialPoolPriceX96 == sqrtPriceX96, "UV3P");
        address[] memory initializedPools = _initializedILOPools[uniV3PoolAddress];
        require(initializedPools.length > 0, "NP");
@>        for (uint256 i = 0; i < initializedPools.length; i++) {
            IILOPool(initializedPools[i]).launch();
        }

        emit ProjectLaunch(uniV3PoolAddress);
    }

    /// @inheritdoc IILOManager
    function claimRefund(address uniV3PoolAddress)
        external
        override
        onlyProjectAdmin(uniV3PoolAddress)
        returns (uint256 totalRefundAmount)
    {
        require(_cachedProject[uniV3PoolAddress].refundDeadline < block.timestamp, "RFT");
        address[] memory initializedPools = _initializedILOPools[uniV3PoolAddress];
@>        for (uint256 i = 0; i < initializedPools.length; i++) {
            totalRefundAmount +=
                IILOPool(initializedPools[i]).claimProjectRefund(_cachedProject[uniV3PoolAddress].admin);
        }
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Implement a limit on the number of initializedPools to prevent excessive initialization.

Assessed type

DoS

c4-judge commented 4 months ago

alex-ppg changed the severity to QA (Quality Assurance)

c4-judge commented 4 months ago

alex-ppg marked the issue as grade-c