1337web3 - Medium 01 DoS

[sherlock-admin2]

1337web3

medium

Medium 01 DoS

Summary

The code snippet implements a loop iterating over an array called invocations, storing each element in an Invocation struct. Our audit identified a potential Denial of Service (DoS) vulnerability associated with this loop structure.

Vulnerability Detail

The vulnerability arises due to the lack of constraint on the size of the invocations array. As the loop iterates over each element, it could consume excessive gas, potentially leading to a DoS attack if the array size is unbounded or excessively large.

https://github.com/sherlock-audit/2024-05-kwenta-x-perennial-integration-update/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L143-L188

Impact

If exploited, the vulnerability could result in a DoS attack, causing the system to become unresponsive or exhaust gas resources, disrupting normal operations.

Code Snippet

for (uint i = 0; i < invocations.length; ++i) {
    Invocation memory invocation = invocations[i];
    // Further code handling invocation
}

Tool used

Manual Review

Recommendation

• Implement Gas Limitations: Introduce gas limitations within the loop to prevent excessive gas consumption. Set a maximum gas allowance for each iteration or implement a gas stipend mechanism.
• Implement _invokeOne function for only one invocation: A function handling only one invocation on top of the already present _invoke function will decrease the usage of the vulnerable of DoS _invoke function.
• Consider Pagination or Chunking: If the array size could be arbitrarily large, implement pagination or chunking techniques to process the array in smaller portions, mitigating the risk of gas exhaustion and DoS attacks.
• Array Size Validation: Implement validation checks to ensure the size of the invocations array is within acceptable bounds before entering the loop. Enforce a maximum array size or validate the array size against predetermined thresholds.
• Gas Estimation and Monitoring: Continuously monitor gas consumption during testing and production. Implement gas estimation techniques to anticipate potential gas usage spikes and assess the impact of loop iterations on overall gas consumption.

[sherlock-admin4]

3 comment(s) were left on this issue during the judging contest.

z3s commented:

Invalid; Denial-of-Service issues require proof of concept (POC), and this issue does not result in the locking of funds or the unavailability of functions. Users can utilize shorter arrays.

takarez commented:

the call will just revert and not affect other users.

FSchmoede commented:

Invalid, as this would only be an issue for the user himself/herself, thus not affecting anyone else.