Description

Within the FCNProduct contract, users are able to submit deposits and withdrawals using the addToDepositQueue() and addToWithdrawalQueue() functions, respectively. Both these functions allow for zero-value deposits and withdrawals to be enqueued.

Impact

The deposits and withdrawals are later processed by the processDepositQueue() and processWithdrawalQueue() functions, respectively. These functions are intended to be called by a trader admin, and they do not distinguish between zero-value and non--zero-value deposits and withdrawals. This means the same amount of gas will be used in both instances. An attacker that wants to grief the protocol into wasting gas can choose to add a lot of zero-value deposits or withdrawals. The only way to empty the queues are with the aforementioned processing functions; thus, the trader admin will be forced to waste gas on these zero-value deposits and withdrawals.

Recommendations

Ensure that a user must deposit or withdraw a minimum amount of tokens.

Remediation

The client has acknowledged and fixed this issue by setting a minimum deposit and withdrawal amount. This was fixed in commit 1944cc8f↗.