Back to m_Rassska's contests

Canto Dex Oracle contest - m_Rassska's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 07/09/2022

Pot Size: $20,000 CANTO

Total HM: 7

Participants: 65

Period: 1 day

Judge: 0xean

Total Solo HM: 3

Id: 159

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 25/65

Findings: 1

Award: $107.40

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: 0xhunter

Also found by: BipinSah, Rohan16, Sm4rty, Tomo, fatherOfBlocks, m_Rassska, oyc_109, prasantgupta52, rokinot

Labels

bug
duplicate
2 (Med Risk)

Awards

664.9949 CANTO - $107.40

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-core.sol#L560-L568

Vulnerability details

[M-01] Unbounded gas consumption

Description:

  • In BaseV1Factory, there is a function setPeriodSize(uint256) which sets the newPeriodSize for pair. However, the pairs length is not under a limit, thus it causes unbounded gas consumption and from some point it may exceed the hard limits.

All occurances:

  • Contracts:

        function setPeriodSize(uint newPeriod) external {
        require(msg.sender == admin);
        require(newPeriod <= MaxPeriod);

        for (uint i; i < allPairs.length; ) {
            BaseV1Pair(allPairs[i]).setPeriodSize(newPeriod);
            unchecked {++i;}
        }
    }

Recommended Mitigation Steps :

  • It's a good practice to devide it into bunch of batches in order to setPeriodSize in multiple transactions.

#0 - nivasan1

2022-09-10T16:21:20Z

duplicate #8

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter