Open hats-bug-reporter[bot] opened 4 months ago
The user can only make ~500 calls then they would run out of storage for themselves. This will break the funcitonality for them by wrong usage.
Thank you for your submission. batch_unlock_requests
is mapping.
users could add the item to user_unlock_requests
, which will DOS himself
Github username: -- Twitter username: -- Submission hash (on-chain): 0xdb07bf2f4b32dd35c79492027b943640656ae15d74c6c29f8948cc17db7fa563 Severity: medium
Description: Description\ When staking tokens in the
vault
contract instake
, aminimum_stake
is enforced so that users cannot bloat the storage with low-value positions. Unfortunately there is no check when callingrequest_unlock
. This leads to users being able to call this function withshares=1
which adds an entry todata.batch_unlock_requests
.Attack Scenario\ Assuming the current price of
AZERO
of about0.8 USD
and the 10 decimals used in the other tests, an attacker could once callstake
with100e10 AZERO
, opening one position worth80 USD
. They can then callrequest_unlock
100e10
times with a value of1
. This will add100e10
elements todata.batch_unlock_requests
. When testing, 515 unlock requests already bloated the storage to a point where no new unlock requests could be added and all further calls would revert.Attachments
Proof of Concept (PoC) File
Add the following to
drink_tests/lib.rs
:Revised Code File (Optional)
Consider also adding a minimum size for
request_unlock
: