search

sherlock-audit / 2024-01-rio-vesting-escrow-judging

3 stars 2 forks source link

millietez - token regeneration leading to system overload #104

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 9 months ago

millietez

medium

token regeneration leading to system overload

Summary

Sending a transaction through the function VestingEscrowFactory.sol#recoverERC20, which can be repeated in a loop.

Vulnerability Detail

VestingEscrowFactory.sol#L80-L85

    function recoverERC20(address token_, uint256 amount) external {
        if (amount > 0) {
            IERC20(token_).safeTransfer(owner(), amount);
            emit ERC20Recovered(token_, amount);
        }
    }

An attacker could initiate a transaction and repeatedly execute it in a loop, also leading to the mass generation of ERC20Recovered events. If the backend processes these events and performs resource-intensive operations, there is a risk of system overload and temporary service disruption.

Impact

System overload and temporary service disruption.

Code Snippet

https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/2d14c2b84b69c53a45c81aa4f907af9617f9a94f/rio-vesting-escrow/src/VestingEscrowFactory.sol#L80-L85

Tool used

Manual Review

Recommendation

Limit the amount of recoverable tokens within a specific time frame or for any number of transactions.

nevillehuang commented 9 months ago

Invalid, this is a non-issue, given any stuck funds in factory contract will be returned to owner as intended. Additionally, the vesting factory contract is not intended to hold funds in the first place.