Jumpy Beige Pigeon - Potential Griefing via Dust Transaction Requirement in USDT Deposits in CDS contract

[sherlock-admin3]

Jumpy Beige Pigeon

Medium

Potential Griefing via Dust Transaction Requirement in USDT Deposits in CDS contract

Summary

The current deposit logic allows a malicious user to manipulate the deposit process, potentially forcing another user to perform an economically unviable dust transaction of eg: 1 wei in USDT to reach the deposit limit inorder to start a USDA deposits.

Root Cause

The CDS contract enforces a USDT deposit limit (params.usdtLimit), set to $20,000.

        // Check whether the usdt limit is reached or not
        if (omniChainData.usdtAmountDepositedTillNow < params.usdtLimit) {
            // If the usdtAmountDepositedTillNow and current depositing usdt amount is lesser or
            // equal to usdtLimit
            if (
                (omniChainData.usdtAmountDepositedTillNow +
                    params.usdtAmount) <= params.usdtLimit
            ) {
                // Check the totalDepositingAmount is usdt amount
                if (params.usdtAmount != totalDepositingAmount) revert CDSInterface.CDS_NeedsUSDTOnly();
            } else {
 @>             revert CDSInterface.CDS_SurplusUSDT();
            }
        } else {
            // usda amount must be 80% of totalDepositingAmount
            if (
                params.usdaAmount <
                (params.usdaLimit * totalDepositingAmount) / 100
            ) revert CDSInterface.CDS_RequiredUSDaNotMet();
            // Check the user has enough usda
            if (interfaces.usda.balanceOf(msg.sender) < params.usdaAmount) revert CDSInterface.CDS_Insufficient_USDa_Balance(); // check if user has sufficient USDa token
        }

https://github.com/sherlock-audit/2024-11-autonomint/blob/main/Blockchain/Blockchian/contracts/lib/CDSLib.sol#L437C1-L458C10

The code checks if the total USDT deposited so far (omniChainData.usdtAmountDepositedTillNow) is less than the limit (params.usdtLimit).

If the total USDT deposited plus the new deposit (params.usdtAmount) is within the limit, it requires the deposit to be composed entirely of USDT.

If the USDT deposits not reached the params.usdtLimit the transaction will revert, that means users need to complete USDT deposits together to start depositing USDA

A malicious depositor can intentionally deposit an amount that leaves the total USDT deposited (omniChainData.usdtAmountDepositedTillNow) just 1 wei/dust amount short of the limit.

So, the next user attempting to deposit must contribute exactly 1 wei of USDT to reach the limit, incurring transaction fees that far exceed the deposit value. This can deter users and disrupt normal deposit operations.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

A malicious user can deposit an amount that leaves the total just 1 wei/dust amount short of the limit. This forces the next depositor to contribute exactly 1 wei/dust amount of USDT to reach the limit, which is forcing users to make a non profitable trade.

Impact

The transaction fees for depositing 1 wei of USDT would far exceed the value of the deposit, making it economically non profitable. This can deter users from depositing and disrupt normal operations, as users may not want to incur such costs for a negligible deposit.

PoC

No response

Mitigation

Implement a minimum deposit amount to prevent dust transactions, and restict depositers from leaving dust gaps. This ensures that deposits below a certain value are not allowed, avoiding the scenario where a user is forced to deposit an impractically small amount.