Arbitrary Deposit into Contract Can Cause DoS to User
Summary
The PointTokenVault contract is vulnerable to a Denial of Service (DoS) condition due to its method of checking deposit limits in function deposit .
if (cap != type(uint256).max) {
if (_amount + _token.balanceOf(address(this)) > cap) {
revert DepositExceedsCap();
}
}
The contract uses the current token balance to enforce deposit caps, which inadvertently includes arbitrary deposits not accounted for by the intended deposit tracking mechanism, potentially causing legitimate deposit transactions to revert before the total intended deposits reach the cap.
Vulnerability Detail
The contract enforces deposit caps by comparing the sum of the deposit amount and the contract's current balance. This approach inadvertently includes any arbitrary deposits made to the contract, reducing the effective cap limit set by the admin. As a result, legitimate deposit attempts may revert when the actual tracked deposits have not yet reached the cap, due to these untracked arbitrary deposits.
Afriaudit
Medium
Arbitrary Deposit into Contract Can Cause DoS to User
Summary
The PointTokenVault contract is vulnerable to a Denial of Service (DoS) condition due to its method of checking deposit limits in function
deposit
.The contract uses the current token balance to enforce deposit caps, which inadvertently includes arbitrary deposits not accounted for by the intended deposit tracking mechanism, potentially causing legitimate deposit transactions to revert before the total intended deposits reach the cap.
Vulnerability Detail
The contract enforces deposit caps by comparing the sum of the deposit amount and the contract's current balance. This approach inadvertently includes any arbitrary deposits made to the contract, reducing the effective cap limit set by the admin. As a result, legitimate deposit attempts may revert when the actual tracked deposits have not yet reached the cap, due to these untracked arbitrary deposits.
Impact
https://github.com/sherlock-audit/2024-07-sense-points-marketplace/blob/main/point-tokenization-vault/contracts/PointTokenVault.sol#L118
Code Snippet
Tool used
Arbitrary deposits can prematurely hit the cap, blocking legitimate user deposits.
Manual Review
Recommendation
Track total deposits separately from the contract's balance
So only successful deposits should count towards the cap.