How can an array inflation cause you a DDoS?

The Beanstalk::transferDeposit function allows any user to transfer their deposit to another user. However, the function does not check the amount being transfered. Worse still, if this amount is 0, it repeatedly pushes the same depositId into s.accts[account].depositIdList[token]:

    function addDepositToAccount(
        ...
    ) internal {
        AppStorage storage s = LibAppStorage.diamondStorage();
        uint256 depositId = LibBytes.packAddressAndStem(token, stem);

        // add a depositId to an account's depositList, if there is not an existing deposit.
@>        if (s.accts[account].deposits[depositId].amount == 0) {
@>            s.accts[account].depositIdList[token].push(depositId);
        }
        ...
    }

A user can call SiloFacet::transferDeposit with an amount of 0 and any recipient multiple times to inflate the recipient's array length, causing a DoS for all functions that use s.accts[account].depositIdList[token] in memory (due to excessive gas costs for memory) or in a loop (due to excessive gas costs for executing instructions).

This bug only causes a full withdrawal/transfer/removal DoS because LibTokenSilo::removeDepositIDfromAccountList is called in LibTokenSilo::removeDepositFromAccount with this condition:

// Full remove
if (crateAmount > 0) {
  delete s.accts[account].deposits[depositId];
  removeDepositIDfromAccountList(account, token, depositId);
}

As a mitigating measure, it was recommended to implement an additional check when transferring token amounts:

    function addDepositToAccount(
        ...
    ) internal {
        AppStorage storage s = LibAppStorage.diamondStorage();
        uint256 depositId = LibBytes.packAddressAndStem(token, stem);

        // add a depositId to an account's depositList, if there is not an existing deposit.
-        if (s.accts[account].deposits[depositId].amount == 0) {
+        if (s.accts[account].deposits[depositId].amount == 0 && amount > 0) {
            s.accts[account].depositIdList[token].push(depositId);
        }
        ...
    }

So keep in mind this type of vulnerability and read the full report here:

Link: https://codehawks.cyfrin.io/c/2024-05-beanstalk-the-finale/s/491