Description

The Initia chain allows vesting rewards from L2s to be released early and put into a liquidity pool. The liquidity token is then locked for the required period. This is known as zapping. When a user uses this feature, a Zapping object is created to record the details of the zapping. Each object has a unique ID, which is used to look it up in a table. The code to determine the ID is as follows.

let zid = table::length(&module_store.zappings);

assert!(!table::contains(&module_store.zappings, zid), error::already_exists(EZAPPING_ALREADY_EXIST));

If deletions have happened in the table, for example if a user has fully released their zapping, the length of the table may no longer match the last ID. At this point, it would no longer be possible to add new zappings until a sufficient number is deleted.

Impact

This is a highly likely scenario causing the zapping feature to be unusable. We suspect in practice the above DOS condition will consistently hold true.

Recommendations

Use a ID-generation scheme uncorrelated to the length of the table.

Remediation