Potential DOS in `delegate_compound` Function

[hats-bug-reporter[bot]]

Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x588cdd2499992876146eabbb7a4c9f876c858fc05954ae02d5f28df87a0c921b Severity: medium

Description: Description: The delegate_compound function iterates over all agents and calls compound on them. However, if there is a revert in one of the agents' compound calls, the entire compound function will revert. The nomination_agent::compound function might revert if an agent has not yet joined the nomination pool or has already reaped from it.

Impact: DOS vulnerability in the compound function.

Scenario: If one of the agents has not yet joined the nomination pool or has already reaped from it, the delegate_compound function will revert.

Revised Code File (Optional):

2 ways:

first:

         for (i, a) in agents.into_iter().enumerate() {
+
             match call_compound(a.address, incentive_percentage_) {
+                // Check if the agent has joined the nomination pool and then call compound for that agent
                 Ok((compound_amount, incentive_amount)) => {
                     debug_println!("Compounded {} to agent #{}", compound_amount, i);

By adding a check to ensure that the agent has joined the nomination pool before calling the compound function, potential DOS vulnerabilities in the delegate_compound function can be mitigated.

second:

just like withdraw function, do not revert the call.

[aktech297]

@bgibers how long do you expect DOS here ? imo, it would be hardly few mins.

Note, agents are added by the admin and they can be removed whenever needed by the admin.

The possibility of DOS is very low since anybody can stake and agent is allocated with funds and they join the pool.

[aktech297]

@bgibers looking for your comments on this

[bmino]

Addressed in kintsu-contracts@5fe996