You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Attacker can gas grief user transactions by using rewards
Summary
Attacker can gas grief user transactions by using rewards
Root Cause
In AutoCompoundingPodLp contract, every operation first call internal process reward function in order to convert the reward tokens to usable assets by using swap operations for every reward token.
The problem is reward whitelist contract supports 12 tokens at max and those are choosen by the protocol.
contractRewardsWhitelistisIRewardsWhitelister, Ownable {
uint8constant MAX =12;
mapping(address=>bool) publicoverride isWhitelistedFromDebondFee;
If a token is whitelisted, any user can donate dust amount of token to Auto Compounding contract in order to process rewards. This situation may cause gas grief attacks for the users because in single transaction all the reward functions are swaped to LP token in the end ( For single reward token there are 2 swap operation and 1 add liquidity operation).
function _processRewardsToPodLp(uint256_amountLpOutMin, uint256_deadline) internalreturns (uint256_lpAmtOut) {
if (!yieldConvEnabled) {
return _lpAmtOut;
}
address[] memory _tokens =ITokenRewards(IStakingPoolToken(_asset()).POOL_REWARDS()).getAllRewardsTokens();
uint256 _len = _tokens.length+1;
for (uint256 _i; _i < _len; _i++) {
address _token = _i == _tokens.length? pod.lpRewardsToken() : _tokens[_i];
uint256 _bal =IERC20(_token).balanceOf(address(this)) - (_token == pod.PAIRED_LP_TOKEN() ? _protocolFees : 0); // @audit-info gas griefing and DoS attacksif (_bal ==0) { // @audit after swap let say there are few wei tokens left - gas griefcontinue;
}
uint256 _newLp =_tokenToPodLp(_token, _bal, 0, _deadline);
_lpAmtOut += _newLp;
}
_totalAssets += _lpAmtOut;
require(_lpAmtOut >= _amountLpOutMin, "M");
}
Get all reward tokens function works on token rewards contract but it can be easily added to token rewards contract by just simply depositing reward as an user.
function depositRewards(address_token, uint256_amount) externaloverride {
_depositRewardsFromToken(_msgSender(), _token, _amount, true);
}
Internal Pre-conditions
No need
External Pre-conditions
Some reward tokens should be whitelisted by the protocol
Attack Path
Firstly attacker deposit small amount of rewards to TokenRewards contract in order to active the tokens ( They are also whitelisted already )
And then attacker can donate each token to AutoCompoundingPodLP contract for reward processing
Let say the next caller is Alice will interact will Auto Compounding Pod LP.
She should pay massive amount of gas fee for the execution, maybe transaction can also revert ( DoS )
Impact
Loss of funds for the users, fee for swap operation may change in time but we can say that in normal chain conditions 3$ is paid for swap operation in mainnet. If there is 12 tokens, there will be 24 swap operation and 12 add liquidity operation. The user will pay massive amount of gas fee for the execution. It can also revert the transaction due to OOG issue.
PoC
No response
Mitigation
Fix is not trivial.
The text was updated successfully, but these errors were encountered:
Huge Cyan Cod
High
Attacker can gas grief user transactions by using rewards
Summary
Attacker can gas grief user transactions by using rewards
Root Cause
In AutoCompoundingPodLp contract, every operation first call internal process reward function in order to convert the reward tokens to usable assets by using swap operations for every reward token.
The problem is reward whitelist contract supports 12 tokens at max and those are choosen by the protocol.
If a token is whitelisted, any user can donate dust amount of token to Auto Compounding contract in order to process rewards. This situation may cause gas grief attacks for the users because in single transaction all the reward functions are swaped to LP token in the end ( For single reward token there are 2 swap operation and 1 add liquidity operation).
Get all reward tokens function works on token rewards contract but it can be easily added to token rewards contract by just simply depositing reward as an user.
Internal Pre-conditions
No need
External Pre-conditions
Attack Path
TokenRewardscontract in order to active the tokens ( They are also whitelisted already )Impact
Loss of funds for the users, fee for swap operation may change in time but we can say that in normal chain conditions 3$ is paid for swap operation in mainnet. If there is 12 tokens, there will be 24 swap operation and 12 add liquidity operation. The user will pay massive amount of gas fee for the execution. It can also revert the transaction due to OOG issue.
PoC
No response
Mitigation
Fix is not trivial.
The text was updated successfully, but these errors were encountered: