This repository has been archived by the owner on Jun 4, 2023. It is now read-only.
RaymondFam - _accumulateExternalRewards()
could turn into an infinite loop if the check condition is true
#125
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
RaymondFam
medium
_accumulateExternalRewards()
could turn into an infinite loop if the check condition is trueSummary
In WstethLiquidityVault.sol, the for loop in
_accumulateExternalRewards()
utilizescontinue
so it could proceed to the next iteration upon having a true condition in the sanity check. This will however turn the function into an infinite loop because++i
has been included at the end of the loop logic. As a result, this skipped increment leads to the sameexternalRewardTokens[i]
repeatedly assigned torewardToken
wherenewBalance < rewardToken.lastBalance
continues to equal true until the same executions make the gas run out.Vulnerability Detail
Here is a typical scenario:
_accumulateExternalRewards()
gets invoked via one of the functions embedding it, i.e.claimRewards()
,_depositUpdateRewardState()
or_withdrawUpdateRewardState()
of SingleSidedLiquidityVault.sol.newBalance < rewardToken.lastBalance
returns true for a specific reward token.continue
comes before++i
, this non-incremented iteration is repeatedly executed till gas is run out.Impact
This will persistently cause DOS on
_accumulateExternalRewards()
for all function calls dependent on it. Depending on how big the deficiency is, the situation can only be remedied by:deactivate()
is called.Note: The situation could be worse if more than 1 elements in the array
ExternalRewardToken[]
were similarly affected.Code Snippet
File: WstethLiquidityVault.sol#L192-L216
Tool used
Manual Review
Recommendation
Consider having the affected code logic refactored as follows:
This will safely increment
i
whencontinue
is hit and move on to the nexti + 1
iteration while still having SafeMath unchecked for the entire scope of the for loop.The text was updated successfully, but these errors were encountered: