search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

cheatcode - Deadlock could potentially occur in announceLeverageClose and announceLeverageAdjust Functions #265

Closed sherlock-admin closed 7 months ago

sherlock-admin commented 8 months ago

cheatcode

medium

Deadlock could potentially occur in announceLeverageClose and announceLeverageAdjust Functions

Summary

In the context of the announceLeverageClose and announceLeverageAdjust functions, a deadlock could potentially occur due to the use of the lock function. The lock function is used to prevent a resource (in this case, a token) from being accessed by other processes while it is being used.

Vulnerability Detail

  1. A user calls the announceLeverageClose or announceLeverageAdjust function, which in turn calls the lock function to lock a token.
  2. If the function fails after the token is locked but before it is released, the token remains locked.
  3. Any subsequent attempts to access the locked token (for example, by calling the announceLeverageClose or announceLeverageAdjust function again) will fail because the token is still locked from the previous call.
  4. This results in a deadlock situation where the token cannot be accessed or unlocked because the process that locked it is waiting for resources to complete.

Impact

DoS

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L317

Tool used

Manual Review

Recommendation

  1. Implement robust exception handling to ensure that if a function fails, any resources it has locked are properly released.
  2. Implement a timeout for locks. If a process has held a lock for longer than the specified timeout period, the lock is automatically released.
sherlock-admin commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 7 months ago

Invalid, if function fails the token will not be locked