UXDControllerStorage.sol - array based asset list handling would cause DOS when more number of asset tokens accepted by the protocol.
Summary
The list of accepted collateral are stored in an array address[] public assetList;. From this array, any token want to be added then it is done in UXDController. Functions _addAsset and _removeAsset are used to either add or remove the asset by the owner as whitelisted asset. For add/remove, array is traversed and updated.
Given the current tokenomics model and increasing the number of tokens, I believe UXD would support more number of asset tokens.
When this happens, the array size by adding asset. In this scenario, the function call whitelistAsset would affect by DOS due to large size of array and the number of traversal the asset array would subject to.
Vulnerability Detail
Refer the summary section.
Impact
Potential DOS , Owner not able to call the whitelistAsset function anymore.
Owner can not delist any asset from usage incase if they wanted.
ak1
medium
UXDControllerStorage.sol - array based asset list handling would cause DOS when more number of asset tokens accepted by the protocol.
Summary
The list of accepted collateral are stored in an array
address[] public assetList;. From this array, any token want to be added then it is done in UXDController. Functions _addAsset and _removeAsset are used to either add or remove the asset by the owner as whitelisted asset. For add/remove, array is traversed and updated.Given the current tokenomics model and increasing the number of tokens, I believe UXD would support more number of asset tokens.
When this happens, the array size by adding asset. In this scenario, the function call
whitelistAssetwould affect by DOS due to large size of array and the number of traversal the asset array would subject to.Vulnerability Detail
Refer the summary section.
Impact
Potential DOS , Owner not able to call the
whitelistAssetfunction anymore.Owner can not delist any asset from usage incase if they wanted.
Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDController.sol#L97-L116
Tool used
Manual Review
Recommendation
use map based asset tokens handling instead of array based.