Althea Liquid Infrastructure - psb01's results

Lines of code

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/main/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L127-L146 https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/main/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L184-L189 https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/main/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L198-L237

Vulnerability details

Impact

Due to incorrect implementation of _beforeTokenTransfer(), each time when contract tokens are burned address(0) will be added to holders[] array which will result in DOS while distributing ERC20s tokens to all holders.

Proof of Concept

Whenever tokens are burned in _beforeTokenTransfer()

1. address to = address(0).
2. bool exists = (this.balanceOf(to) != 0) => (exists = false).
3. In next line statement inside if(!exists) execute (as !exists = true) and address(0) will be pushed in holders[] array.

1st case - When distributeToAllHolders() is called holder.length is passed to distribute() function. Inside distribute() function for (i = nextDistributionRecipient; i < limit; i++) will try to distribute ERC20s tokens to all holders which may consists of lots of address(0) also which results out of gas errors.

Although as address(0) is not in HolderAllowlist[] so no token will be transfered to address(0) (again there is no zero address check in approveHolder() but it has onlyOwner modifier so considering address(0) will not be approved holder).

2nd case - when distribute() function is called with (say numDistributions = 3) then while distributing inside for (i = nextDistributionRecipient; i < limit; i++) loop if index i = nextDistributionRecipient to next 2 indices consist of address(0) then no distributions will be made to approved holders.

Tools Used

Manual

Recommended Mitigation Steps

Apply check to ensure to != address(0) before pushing inside holders[].

Assessed type

DoS