Open hats-bug-reporter[bot] opened 5 days ago
@submitter
Last time I was creating a POC to explore OOG errors caused by a similar loop in a different codebase. However, the loop iterated up to 800 times without reverting
Can you verify if this code will indeed revert due to OOG when iterating from 8 to 300 ?
Github username: -- Twitter username: -- Submission hash (on-chain): 0x71f125e47e58aa7ba73cdde503cb3c4f9a44f7aef33c969e60ff1408b5dfe388 Severity: medium
Description: Description:
In an edge case scenario, where a user is a passive one, maybe because of deposit, claim and withdrew while ago, or they rarely
claimRemovedTokens
, there is a potential large gap betweenlastClaimedUserId
and_currentSnapshotId
. For example, iflastClaimedUserId
is 10, and_currentSnapshotId
is 300, is a possible condition.Snapshot ID is incremental and used for versioning of token updates. Everytime there is a token removal in Rebalancing contract, this snapshot will be incremented.
Current code in
claimRemovedTokens
usehasInteractedWithId
to flag if user should be interact with the removed token, means, if thehasInteractedWithId
istrue
thenclaimRemovedTokens
will assign_balanceOfLastValidId
and try toattemptClaim
.This
hasInteractedWithId
can be gamed by a 1 wei donation of portfolio token to a user. By transfering 1 wei of portfolio token to a passive user, (this will triggerPortfolioToken::_afterTokenTransfer
->UserManagement::_updateUserRecord
->TokenExclusionManager::_setUserRecord
) it will then set thehasInteractedWithId
totrue
, thenattemptClaim
will always be executed, passed the_portfolioTokenBalance > 0
check, then it will try to transfer the removed token, even if it's 1 wei balance, which then rounded to 0.Having this situation, with large gap between snapshot id, and each loop there is a transfer token, there is a potential Out of Gas issue here.
Scenario:
lastClaimedRemovedTokenId
for example at 7.claimRemovedTokens
:hasInteractedWithId
was set to true at ID 10, it will attempt toattemptClaim
at each iteration, even if the transfer balance is 0.Impact:
The potential for an out-of-gas error due to a potential large gap between
lastClaimedUserId
and_currentSnapshotId
can prevent users from successfully claiming removed tokens, especially if there are many snapshots to process.Mitigation:
Consider implementing mechanisms such as limiting the number of iterations per transaction, allowing users to batch their claims over multiple transactions