search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

feelereth - the at() function can be exploited to cause an out-of-gas error #107

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

feelereth

high

the at() function can be exploited to cause an out-of-gas error

Summary

The at() view function iterates backwards through historical oracles to find the right one for the timestamp. This could be exploited to cause the function to run out of gas if there are a large number of historical oracles.

Vulnerability Detail

The issue is that it iterates from global.current downwards without any limit on the number of iterations. An attacker could exploit this by:

  1. Calling update() multiple times to add a large number of historical oracles to the oracles mapping
  2. Calling at() with a very old timestamp that requires iterating through most/all of the oracles
  3. This will cause the at() function to iterate over a very large number of oracles, potentially using up all available gas and reverting

Impact

This will cause the function to run out of gas

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/Oracle.sol#L64-L72

Tool used

Manual Review

Recommendation

oracles should be stored in a more efficient data structure like a binary search tree rather than a simple mapping.

sherlock-admin commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

141345 commented:

d

panprog commented:

invalid because at() only iterates until correct timestamp is found, and also because owner is trusted to not add many oracles