Platform: Code4rena
Start Date: 07/09/2022
Pot Size: $20,000 CANTO
Total HM: 7
Participants: 65
Period: 1 day
Judge: 0xean
Total Solo HM: 3
Id: 159
League: ETH
Rank: 29/65
Findings: 1
Award: $107.40
π Selected for report: 1
π Solo Findings: 0
π Selected for report: 0xhunter
Also found by: BipinSah, Rohan16, Sm4rty, Tomo, fatherOfBlocks, m_Rassska, oyc_109, prasantgupta52, rokinot
664.9949 CANTO - $107.40
https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-core.sol#L560-L568
Loops that do not have a fixed number of iterations, for example, loops that depend on storage values, have to be used carefully: Due to the block gas limit, transactions can only consume a certain amount of gas. Either explicitly or just due to normal operation, the number of iterations in a loop can grow beyond the block gas limit which can cause the complete contract to be stalled at a certain point.
by calling createPair function a pair will be pushed to allPairs array , an admin can call setPeriodSize function and set newPeriod for every pairs in allpair array , however by spamming createPair function the loop in setPeriodSize function may revert in case of hitting gas limit of the network . since there is no way to remove allPairs or decrease their length in setPeriodSize function , its possible to totally make it impossible to call the setPeriodSize function.
in order to fix the issue setPeriodSize function has to be able to become executed in multiple times in case of facing gas limit .
#0 - nivasan1
2022-09-08T20:12:49Z
Given that it is not expected for admin to change the period size in the router often, we do not consider this a high-risk vulnerability. This would also cost an infinite amt of Canto if orchestrated by a single user
#1 - 0xean
2022-09-14T20:00:45Z
I am not sure the frequency that this is set to be used matter, it does lead to the functionality being lost. However, I do not see it leading to a loss of user funds, so will downgrade to a medium severity.
This would also cost an infinite amt of Canto if orchestrated by a single user <- I am also not sure I understand this point. Can you explain further? What are the transaction gas limits set on this network?
#2 - nivasan1
2022-10-12T19:13:45Z
@0xean, the method mentioned requires admin privileges to call it. As such, in order for an address that isn't timelock to access this method a malicious governance proposal must be passed to call the method from timelock, or to pass governance privileges to the malicious address. Secondly, the malicious user would have to spend a significant amount of Canto in deploying and adding sufficient liquidity to the contracts desired. As such, the risk-rewards for this action makes it unclear why any user would attempt to do this.
#3 - 0xean
2022-10-13T00:25:46Z
I don't think this is necessarily an attack vector, simply a way that the intended logic of the contracts could fail. If canto is wildly successful there could be sufficient pairs that this would fail, I think M is a reasonable severity.