Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malicious users can bloat the storage by creating positions with no liquidity #140

Closed
c4-bot-10 opened this issue Sep 12, 2024 · 1 comment
Closed

Malicious users can bloat the storage by creating positions with no liquidity #140

c4-bot-10 opened this issue Sep 12, 2024 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality 🤖_34_group AI based duplicate group recommendation

Comments

@c4-bot-10
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/pool.rs#L75

Vulnerability details

Impact

The current version of the pool contract allows users to create new positions by providing address of the first token, tick lower and tick upper. The problem is that there is no liquidity providing when minting a position for the first time. This basically allows an attacker to create an infinite number of empty positions and bloat the storage by doing that. Over time, this may lead to DoS as iterating over storage can become too costly.

Proof of Concept

The current functionality of mint_position_B_C5_B086_D():

https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/lib.rs#L495-502

pub fn mint_position_B_C5_B086_D(
        &mut self,
        pool: Address,
        lower: i32,
        upper: i32,
    ) -> Result<U256, Revert> {
        let id = self.next_position_id.get();
        self.pools.setter(pool).create_position(id, lower, upper)?;

It calls create_position() in the pool contract that just adds new position to the storage:

https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/pool.rs#L85

  self.positions.new(id, low, up);

https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/position.rs#L35-39

 pub fn new(&mut self, id: U256, low: i32, up: i32) {
        let mut info = self.positions.setter(id);
        info.lower.set(I32::lib(&low));
        info.upper.set(I32::lib(&up));
    }

https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/position.rs#L25-27

pub struct StoragePositions {
    pub positions: StorageMap<U256, StoragePositionInfo>,
}

Tools Used

Manual review.

Recommended Mitigation Steps

When creating a new position, the user has to add liquidity right away to avoid the situation where storage can be filled with no liquidity positions.

Assessed type

Other
@c4-bot-10 c4-bot-10 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 12, 2024
c4-bot-2 added a commit that referenced this issue Sep 12, 2024
@c4-bot-2
ABAIKUNANBAEV issue #140
58a4cf1
@c4-bot-12 c4-bot-12 added the 🤖_34_group AI based duplicate group recommendation label Sep 13, 2024
@howlbot-integration howlbot-integration bot added the insufficient quality report This report is not of sufficient quality label Sep 16, 2024
@rodiontr
Copy link

rodiontr commented Sep 24, 2024
edited
Loading

Hi @alex-ppg. I believe this should be transferred to the findings repo for the following reasoning:

  1. The issue identifies how storage can become too expensive to fetch as positions are created with no liquidity and only with ticks so the only thing that's required for an attacker is to pay some gas fees. As the supported chain is Arbitrum, they will be very low

  2. There was a precedent where similar finding was judged as medium severity in the similar context:
    Storage can be bloated with low value liquidity positions 2024-02-hydradx-findings#54

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality 🤖_34_group AI based duplicate group recommendation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rodiontr @c4-bot-10 @c4-bot-12