Deposit Capacity Attacks

[UlyanaAndrukhiv]

Context

Current Gap: Tests cover normal usage, need adversarial scenarios.

Missing Test Coverage:

• Griefing Attacks

  • Attacker creates 1000 positions
  • Each position deposits minimum amount
  • Total consumes all deposit capacity
  • Legitimate users cannot deposit

• Front-Running Capacity

  • User A prepares large deposit transaction
  • Attacker sees pending transaction
  • Attacker front-runs and consumes capacity
  • User A transaction fails due to insufficient capacity

• Per-User Limit Bypass

  • User limit = 5% of capacity
  • User creates multiple accounts
  • Each account deposits up to limit
  • Effectively bypasses individual limit (Sybil attack)

• Capacity Regeneration Manipulation

  • Attacker monitors regeneration timing
  • Submits deposits immediately after regeneration
  • Monopolizes regenerated capacity
  • Legitimate users starved

• Queued Deposit Exploitation

  • User deposits exceed per-deposit limit
  • Excess queued for async processing
  • User cancels queued deposits after manipulating state
  • Potential for race conditions

Recommended Tests:

Test: Create 100 positions, each deposits 1% of capacity
Test: Front-run large deposit, consume capacity first
Test: User A creates 20 accounts, bypasses per-user limit
Test: Attacker deposits immediately after each regeneration cycle
Test: Queue large deposit, attempt to exploit during async processing