ITT icon indicating copy to clipboard operation
ITT copied to clipboard

Published 20 hours ago verified publisher icon o0ragman0o

vulnerable to DoS attack using making many Buy/Sell orders

Open bezalel opened this issue 8 years ago • 1 comments

If attacker makes many buy/sell orders differentiating slight price gap and requesting very small amount of (bidding/asking) tokens, contract might be in denial of service state in which every transaction would get Out-Of-Gas exception (beyond block gas limit), and ITT contract will be halted..

vulnerable code for DoS attack :

  • CLL.seek in make function
  • while loop in take function

How do you think about this?

bezalel avatar Dec 07 '16 09:12 bezalel

Let me think on it more but,

The while loop in take exits gracefully when gas gets too low and sets the make parameter to false so no make is attempted which would lead to spread collisions.

The seek() function is used for price insertion. It enters at the spread and works up or down the pricebook depending on side. It could go OOG but only for the attacker who is maker. It would certainly be inefficient for the taker but wouldn't DOS completely.

o0ragman0o avatar Dec 07 '16 09:12 o0ragman0o