The pause function in the Timelock contract could be temporarily subjected to a DoS attack due to the unbounded iteration over the liveProposals array.

[howlbot-integration]

Lines of code

https://github.com/code-423n4/2024-10-kleidi/blob/ab89bcb443249e1524496b694ddb19e298dca799/src/Timelock.sol#L687-L700

Vulnerability details

Proof of Concept

The Timelock contract has a pause function that pauses and deletes all activeProposals that were scheduled before or have already expired but were not cleaned up (https://github.com/code-423n4/2024-10-kleidi/blob/ab89bcb443249e1524496b694ddb19e298dca799/src/Timelock.sol#L691-L692). Because we simply iterate over all liveProposals without any restrictions (an unbounded array), this means that more proposals result in a more expensive pause function, and in some circumstances, this could become an issue. For example:

1. One of the HotSigner's private keys is compromised, and a malicious user can now schedule their transactions.
2. The attacker schedules many transactions, making the liveProposals array very large.
3. The PauseGuardian tries to call pause to stop the spam, allowing time to address the leaked private key.
4. Since liveProposals already contains over 1,000 entities, the loop that deletes each entity exceeds the available block gas limit for the current chain, causing the pause transaction to fail.

The only available option is to cancel or clean up those proposals manually. However, the problem is that the Timelock allows for the deletion of only one proposal (by id), and there is no batch cancel function. This means deleting entities one by one is ineffective because the attacker can spam transactions at the same or a higher frequency.

Recommended Mitigation Steps

Restrict the number of proposals a user can schedule, and add a function to cancel or clean up several proposal IDs at once.

Assessed type

DoS

[c4-judge]

GalloDaSballo marked the issue as partial-75