Omniscia Gravita Protocol Audit
SortedVessels Manual Review Findings
SortedVessels Manual Review Findings
SVS-01M: Insecure Data List Size Enforcement
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | SortedVessels.sol:L121-L123 |
Description:
The SortedVessels function will set the maxSize of an asset's linked list to the maximum of uint256 insecurely, enabling Denial-of-Service attacks to manifest.
Impact:
The overall list is utilized by off-chain components as per the Gravita Finance team. As such, the impact of this exhibit is negligible and has been downgraded to informational severity.
Example:
121if (data[_asset].maxSize == 0) {122 data[_asset].maxSize = MAX_UINT256;123}Recommendation:
While the blockchain that the Gravita Protocol will be deployed in may have significantly less gas costs than its Liquity counterpart, it still needs to apply an upper bound as regardless of the cost of executing a transaction, there is an inherent block gas limit that needs to be respected. As such, we advise a higher than Liquity but still sensible bound to be applied to avoid Denial-of-Service attacks.
Alleviation:
While the MAX_UINT256 "unlimited" limit is no longer set for the maxSize variable of the list, no max size is set and the SortedVessels::isFull function is no longer utilized by the code. The Gravita Finance team has opted to acknowledge this exhibit as the function is purely utilized for off-chain purposes.