search

sherlock-audit / 2023-11-covalent-judging

3 stars 2 forks source link

Anubis - Potential Denial of Service (DoS) via Block Specimen Session (Unbounded Loops) #5

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

Anubis

medium

Potential Denial of Service (DoS) via Block Specimen Session (Unbounded Loops)

Summary

The finalizeSpecimenSession function in the contract iterates over an unbounded number of block specimen hashes and their respective participants. In scenarios with a high number of submissions, the gas cost could exceed block gas limits, resulting in a denial of service where sessions cannot be finalized.

Vulnerability Detail

The function finalizeSpecimenSession is designed to finalize block specimen sessions by determining the most agreed-upon specimen hash. It involves iterating over all submitted block specimen hashes and their participants to find the specimen hash with the maximum agreement. However, there are no bounds on the number of specimen hashes or participants, leading to unbounded loops. If the number of submissions is very high, the function may require more gas than the block gas limit allows, making it impossible to finalize the session, effectively causing a DoS condition.

Impact

If this function fails to execute due to excessive gas costs, it could halt important governance decisions or reward distributions, affecting the protocol's functionality and potentially causing loss of trust among participants.

Code Snippet

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L397 .... https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L416 .... https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L419 .... https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L374

Tool used

Manual Review

Recommendation

Introduce a mechanism to limit the number of specimen hashes and participants that can be processed in a single transaction. This can be achieved by implementing pagination or splitting the finalization process into multiple transactions. Additionally, consider setting reasonable limits on the number of specimen hashes and participants to prevent excessive gas costs.

// Pseudo-code for a paginated finalizeSpecimenSession function
function finalizeSpecimenSession(uint64 chainId, uint64 blockHeight, uint256 startIndex, uint256 endIndex) public {
    ...
    // Process only a subset of specimen hashes based on startIndex and endIndex
    for (uint256 i = startIndex; i < endIndex && i < blockSpecimenHashesLength; i++) {
        ...
        // Further logic to handle paginated processing
    }
    ...
}
sherlock-admin2 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid: the array lenght is not controlled by admin thus making it possile for a large number of the array; medium(2)

noslav commented 8 months ago

@sudeepdino008 can we figure out what is the upper bound on the number of finalization pariticipants that can be accepted before OOO occurs?

nevillehuang commented 8 months ago

Invalid based on sherlock OOG rules