Unbounded loops over activeProtections can cause DOS of premium accrual and capital lock functionality. Causing all protection buyer premiums to be locked.
Vulnerability Detail
Active protections are kept track of in an UintSet, which gets increased whenever a protection is bought:
This can be done only at the cost of gas, as the protocol currently does not restrict creating a protection with 0 amount of deposits. Also the exploiter needs to hold and nftLpToken, which is not much of an obstacle. By performing a lot of such deposits, they can inflate the size of said UintSet.
When accruing premiums or locking capital the all elements of the set are iterated over:
//_accurePremiumAndExpireProtection
uint256[] memory _protectionIndexes = lendingPoolDetail
.activeProtectionIndexes
.values();
/// Iterate through all active protection indexes for the lending pool
uint256 _length = _protectionIndexes.length;
for (uint256 j; j < _length; ) {
...
When the number of elements is sufficiently large, all calls to these functions will run out of gas and hence DOS said functions. Without premium accrual all the funds deposited by non-malicious buyers will get stuck in the contract. To highlight the permanence of this attack, the function _accurePremiumAndExpireProtection is also the only place where elements can get removed from the activeProtectionIndexes.
Impact
DOS of core functionality and permanent lock of funds.
minhtrng
high
DOS of core features and permanent lock of funds
Summary
Unbounded loops over activeProtections can cause DOS of premium accrual and capital lock functionality. Causing all protection buyer premiums to be locked.
Vulnerability Detail
Active protections are kept track of in an UintSet, which gets increased whenever a protection is bought:
This can be done only at the cost of gas, as the protocol currently does not restrict creating a protection with 0 amount of deposits. Also the exploiter needs to hold and nftLpToken, which is not much of an obstacle. By performing a lot of such deposits, they can inflate the size of said UintSet.
When accruing premiums or locking capital the all elements of the set are iterated over:
When the number of elements is sufficiently large, all calls to these functions will run out of gas and hence DOS said functions. Without premium accrual all the funds deposited by non-malicious buyers will get stuck in the contract. To highlight the permanence of this attack, the function
_accurePremiumAndExpireProtectionis also the only place where elements can get removed from theactiveProtectionIndexes.Impact
DOS of core functionality and permanent lock of funds.
Code Snippet
https://github.com/sherlock-audit/2023-02-carapace/blob/cbfed1985d3cf893239d852eecefe7610b7434dc/contracts/core/pool/ProtectionPool.sol#L975-L982
https://github.com/sherlock-audit/2023-02-carapace/blob/cbfed1985d3cf893239d852eecefe7610b7434dc/contracts/core/pool/ProtectionPool.sol#L374-L385
Tool used
Manual Review
Recommendation
Impose a minimum amount for each protection to increase the cost of the attack. Also limit the amount of total protections for a lending pool.
Duplicate of #63