search

sherlock-audit / 2024-05-elfi-protocol-judging

11 stars 7 forks source link

ZeroTrust - The create Withdraw Request lacks any condition checks, making it easy to create a large number of invalid requests #226

Closed sherlock-admin2 closed 3 months ago

sherlock-admin2 commented 3 months ago

ZeroTrust

Medium

The create Withdraw Request lacks any condition checks, making it easy to create a large number of invalid requests

Summary

The create Withdraw Request lacks any condition checks, making it easy to create a large number of invalid requests

Vulnerability Detail

    function createWithdrawRequest(address token, uint256 amount) external {
        uint256 requestId = UuidCreator.nextId(WITHDRAW_ID_KEY);
        Withdraw.Request storage request = Withdraw.create(requestId);
        request.account = msg.sender;
        request.token = token;
        request.amount = amount;

        emit CreateWithdrawEvent(requestId, request);
    }

We can see that The create Withdraw Request lacks any condition checks, so it easy to create a large number of invalid requests. This leads to two adverse consequences: the keeper wastes gas executing or canceling these requests, and due to the large number of invalid requests occupying the keeper’s resources, it becomes difficult for valid requests to be serviced, resulting in a DoS.

Impact

This leads to two adverse consequences: the keeper wastes gas executing or canceling these requests, and due to the large number of invalid requests occupying the keeper’s resources, it becomes difficult for valid requests to be serviced, resulting in a DoS.

Code Snippet

https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/AssetsProcess.sol#L157

Tool used

Manual Review

Recommendation

Add valid request checks in the createWithdrawRequest function.

Duplicate of #96