search

sherlock-audit / 2024-02-rubicon-finance-judging

5 stars 3 forks source link

hunter_w3b - `BaseGladiusReactor::executeBatch` vulnerable to DOS attack #65

Closed sherlock-admin2 closed 9 months ago

sherlock-admin2 commented 9 months ago

hunter_w3b

medium

BaseGladiusReactor::executeBatch vulnerable to DOS attack

Summary

Due to the block gas limit, there is a clear limitation in the amount of operation that can be handled in a transaction. So the orders comes directly from the input orders array passed by the caller, without any validation.This allows an attacker to craft a transaction with a very long but mostly empty orders array, targeting excessive gas usage again via the array allocation. Loops that are dependent on user-controlled input can be exploited to halt the contract's functions.

Vulnerability Detail

The vulnerability in the contract is related to the lack of input length validation, which can lead to a denial-of-service (DoS) attack. Specifically, the contract fails to bound the input length, leaving it susceptible to a DoS vector through memory allocation costs.

The problem arises from the fact that the orders variable, which is used in the contract, directly comes from the input orders array provided by the caller, without any validation. This allows an attacker to create a transaction with an excessively long but mostly empty orders array, deliberately targeting excessive gas usage through array allocation.

Loops that depend on user-controlled input can be exploited to halt the contract's functions, potentially disrupting its normal operation.

Impact

The impact of this vulnerability is that an attacker can abuse it to consume excessive gas, leading to increased costs for executing transactions on the contract.

Code Snippet

https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L82-L101

https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L104-L128

Tool used

Manual Review

Recommendation

Ensure the number of iterations is properly bounded.

sherlock-admin commented 9 months ago

3 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

I don't see how this will harm users

PNS commented:

M-1 OZ Audit; Fillers generally estimate gas before execution and use private mempools like flashbots or mevblocker.

0xAadi commented:

Invalid: this will not DOS the protocol, users can reduce the size of the orders and resubmit