Malicious user can permanently break VUSD#processWithdrawals by wasting all transaction gas
Summary
VUSD#processWithdraw makes a call to withdrawal.usr to send the withdrawn gas token. It sends all the transaction gas with the call. A malicious user could set the withdrawal target to a malicious contract that would endlessly loop until it had consumed all the gas. Since there is no gas limit, this OOG error will cause the entire processWithdrawals call revert. No matter how much gas is sent with the transaction, the transaction will always revert. The result is that all withdrawals would be permanently locked causing massive loss to all VUSD holders.
NOTE: I am submitting this as a separate issue apart from my other two similar issues. This a separate issue because the root cause is different even though the outcome is similar. The vulnerability exploited in this issue is that the call doesn't cap gas usage in any way allowing all the transaction gas to be consumed.
Apply a gas cap to the call. Alternatively withdraw could be changed from a two step process to a single step one without the need for a withdrawal queue at all.
0x52
high
Malicious user can permanently break VUSD#processWithdrawals by wasting all transaction gas
Summary
VUSD#processWithdraw makes a call to withdrawal.usr to send the withdrawn gas token. It sends all the transaction gas with the call. A malicious user could set the withdrawal target to a malicious contract that would endlessly loop until it had consumed all the gas. Since there is no gas limit, this OOG error will cause the entire processWithdrawals call revert. No matter how much gas is sent with the transaction, the transaction will always revert. The result is that all withdrawals would be permanently locked causing massive loss to all VUSD holders.
NOTE: I am submitting this as a separate issue apart from my other two similar issues. This a separate issue because the root cause is different even though the outcome is similar. The vulnerability exploited in this issue is that the call doesn't cap gas usage in any way allowing all the transaction gas to be consumed.
Vulnerability Detail
See summary.
Impact
All withdrawals can be permanently broken
Code Snippet
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/VUSD.sol#L65-L85
Tool used
Manual Review
Recommendation
Apply a gas cap to the call. Alternatively withdraw could be changed from a two step process to a single step one without the need for a withdrawal queue at all.
Duplicate of #116