New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drips sender can prevent receiver from squeezing by spamming the drips history #274
Comments
GalloDaSballo marked the issue as primary issue |
There is no real incentive for why a sender should do it. A sender could also just stop sending to a specific receiver. Maybe the only scenario I could think of is something like:
I think even then it would be just more expensive and not impossible to collect. |
[disagree with severity: QA] Using |
CodeSandwich marked the issue as disagree with severity |
@berndartmueller Can you please let me know if you believe the denial can be performed indefinitely, or if at end-of-cycle the tokens will be collectable? |
@GalloDaSballo The denial can only be performed within the cycle. The tokens can be claimed at the end of the cycle (or to be correct, at the next cycle) This issue presents a denial issue to prevent the squeezing functionality. I submitted it as Medium severity as the intended functionality of the protocol is affected |
From the deployments we can infer that a cycle will be 1 week (604800), we could assume that on mainnet this may change to up to a month, but I think this gives us an idea of the maximum delay. I'd say the finding could be judged either as QA Low or Medium If the spammer could have been anyone, then we could have argued in favour of Medium Severity, as anyone could have DOsses up to 1 week of drips, however, this grief can only be performed by the sender, whom could simply cancel the drip. For this reason, after considering Medium Severity, I think the most appropriate one is Low |
L +3 |
GalloDaSballo changed the severity to QA (Quality Assurance) |
GalloDaSballo marked the issue as grade-c |
GalloDaSballo marked the issue as grade-a |
After re-reading the finding, I realized that this can be performed, but not as a front-run Because of the increased cost of For those reasons I confirm QA for this report |
Lines of code
https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/Drips.sol#L422-L433
https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/Drips.sol#L342-L368
Vulnerability details
Squeezing drips from a sender requires providing the sequence of drips configurations (see NatSpec description in L337-L338):
A receiver who wants to squeeze drips from a sender may be faced with many history entries to provide if the sender, for whatever reason, spammed the drips history with many new configurations. Drips configs can potentially contain 0 receivers, which lowers the gas costs to create a new config.
The
dripsHistory
parameter of theDripsHub.squeezeDrips
function usesmemory
instead ofcalldata
. If the provided array is significantly sized, copying it to memory may exceed the block gas limit and cause the transaction to fail with an out-of-gas error. This leaves the receiver unable to squeeze drips from the sender.Impact
A drips sender can prevent a drips receiver from squeezing the current cycle by spamming the current cycle with many drips history configurations.
Proof of Concept
Drips.sol#L342-L368
Drips.sol#L422-L433
Tools Used
Manual review
Recommended mitigation steps
Consider limiting the number of drips configurations within a cycle to a reasonable number and use
calldata
instead ofmemory
for thedripsHistory
parameter ofDrips._squeezeDrips()
(and update theDripsHub
contract accordingly as well) to prevent gas expensive copying of calldata to memory.The text was updated successfully, but these errors were encountered: