Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential Denial-of-Service (DoS) in Timelock pause Function #41

Closed
howlbot-integration bot opened this issue Oct 27, 2024 · 1 comment
Closed

Potential Denial-of-Service (DoS) in Timelock pause Function #41

howlbot-integration bot opened this issue Oct 27, 2024 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-24 partial-75 Incomplete articulation of vulnerability; eligible for partial credit only (75%) 🤖_06_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-10-kleidi/blob/ab89bcb443249e1524496b694ddb19e298dca799/src/Timelock.sol#L687-L698

Vulnerability details

Proof of Concept

The current implementation of the pause function attempts to cancel all live proposals within a single transaction:

function pause() public override {
    super.pause();

    bytes32[] memory proposals = _liveProposals.values();
    for (uint256 i = 0; i < proposals.length; i++) {
        bytes32 id = proposals[i];
        delete timestamps[id];
        assert(_liveProposals.remove(id));
        emit Cancelled(id);
    }
}

This implementation is vulnerable to a DoS attack in the following scenario:

  1. An attacker creates numerous small proposals, inflating the _liveProposals set.
  2. The number of proposals becomes so large that the gas required to process all of them in the pause function exceeds the block gas limit.
    As a result, it becomes impossible to pause the contract, potentially leaving it in a vulnerable state during emergencies

Recommended Mitigation Steps

Separate the pausing mechanism from the proposal cancellation process

Assessed type

DoS
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_06_group AI based duplicate group recommendation bug Something isn't working duplicate-4 sufficient quality report This report is of sufficient quality labels Oct 27, 2024
howlbot-integration bot added a commit that referenced this issue Oct 27, 2024
@howlbot-integration
Brene issue #41
151f680
@c4-judge
Copy link

GalloDaSballo marked the issue as partial-75

@c4-judge c4-judge added the partial-75 Incomplete articulation of vulnerability; eligible for partial credit only (75%) label Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-24 partial-75 Incomplete articulation of vulnerability; eligible for partial credit only (75%) 🤖_06_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c4-judge