Hubble contest - bw's results
Multi-collateral/Cross-Margin Perpetual Futures on Avalanche.
General Information
Platform: Code4rena
Start Date: 17/02/2022
Pot Size: $75,000 USDC
Total HM: 20
Participants: 39
Period: 7 days
Judges: moose-code, JasoonS
Total Solo HM: 13
Id: 89
League: ETH
Findings Distribution
Researcher Performance
Rank: 25/39
Findings: 1
Award: $274.14
π Selected for report: 1
π Solo Findings: 0
Labels
Awards
274.1361 USDC - $274.14
External Links
Lines of code
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/ClearingHouse.sol#L129 https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/AMM.sol#L678
Vulnerability details
Impact
As the number of supported markets grow, settleFunding will reach a point were it exceeds the block gas limit on Avalanche C-Chain. This will prevent users from calling the function and cause a wide spread Denial of Service.
Looking at transactions for the current testnet deployment, settleFunding already reaches almost 10% of the block gas limit. This is due settle funding iteratively looping through each market, with each iteration entering an unbounded while loop in _calcTwap. The more active the markets are, the more gas intensive _calcTwap becomes, as more snapshots need to be traversed.
The combination of more active markets and an increase in available markets make it very likely that some users will be unable to call settleFunding in the long run.
Proof of Concept
Example of transactions on testnet:
Recommended Mitigation Steps
Users should be allowed to settle funding per market or using an array of markets opposed to all markets at once.
function settleFundingForMarkets(IAMM[] markets) override external whenNotPaused { for (uint i = 0; i < markets.length; i++) { markets[i].settleFunding(); } }
In this way the gas cost will not increase with the number of markets created over time.
#0 - atvanguard
2022-02-24T04:51:17Z
It's a known issue that adding many more markets will eventually exceed block gas limit on many operations (not just settleFunding). For that reason, DAO governance has to be careful with not adding too many markets. Would classify this as 0 (Informational).
#1 - moose-code
2022-03-06T14:43:01Z
This is definitely more than informational. You can see in the gas profiler on only a limited amount of markets with not much action, lots of gas was used. This has potential to be a much bigger issue in the future.
Very rightly so the warden points out _calcTwap as intensive which is shown on the profiler below for the one market. Calculating a TWAP across many different markets could blow this function up very quickly.
Further more, if you take ALL the gas in a single block, this becomes really expensive and difficult as you need to push out a lot of other high priority transactions that are pending. If this was needing to be executed during an NFT minting spree it would be tough.
@JasoonS lets discuss on medium vs high for this one.
#2 - moose-code
2022-03-06T15:43:04Z
Going to have this as medium.