search

sherlock-audit / 2024-05-sophon-judging

7 stars 6 forks source link

0xsi - `SophonFarming::updatePool` should be restricted to the owner. Unrestricted Access to updatePool Function Enables Potential DoS Attacks #76

Closed sherlock-admin3 closed 5 months ago

sherlock-admin3 commented 5 months ago

0xsi

medium

SophonFarming::updatePool should be restricted to the owner. Unrestricted Access to updatePool Function Enables Potential DoS Attacks

Summary

The updatePool function is publicly accessible, allowing anyone to call it. This can lead to several issues, including potential denial-of-service (DoS) attacks, where an attacker repeatedly calls this function to consume gas and potentially disrupt the contract’s operations. This unrestricted access also poses risks of inefficient use of gas and unnecessary strain on the network.

Vulnerability Detail

Repeated Calls:

An attacker scripts repeated calls to updatePool with the intention to exhaust gas resources, leading to a DoS attack. This could slow down or halt other critical operations of the contract.

Timing Exploitation:

An attacker could strategically call updatePool at specific times to manipulate the reward distribution process, although the exact exploit would depend on the contract’s broader logic and reward system.

Impact

Denial-of-Service (DoS) Attack:

An attacker can call updatePool in a loop, consuming large amounts of gas and potentially preventing other users from interacting with the contract. This can lead to high transaction costs for legitimate users and potential service disruption.

Gas Inefficiency:

Public access to this function can lead to unnecessary gas consumption, especially if called repeatedly without substantial changes in the pool’s state. Frequent unnecessary updates can lead to higher gas fees and inefficient utilization of the network.

State Manipulation:

While less likely, the function’s public nature might enable malicious actors to manipulate the timing of updates to their advantage, potentially affecting reward calculations.

Code Snippet

https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L411-L435

Tool used

Manual Review

Recommendation

-    function updatePool(uint256 _pid) public {
+    function updatePool(uint256 _pid) public onlyOwner {
sherlock-admin2 commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

invalid because this isn't a recursive call and will not perpetually clog the traffic.