SJIP: Clarify the guideline about repetitive DOS attacks

[WangSecurity]

Description

Clarify that the guideline about repetitive DOS attacks applies to DOS attacks even longer than one-block DOS.

Judging Guidelines PR

https://github.com/sherlock-protocol/sherlock-v2-docs/pull/60/files

Rationale

The current guideline about the repetitive DOS attacks involves only one-block DOS attacks, while it should be applied to all repetitive DOS attacks that last less than a week. For example, one-day DOS that can be repeated 7 times in a row should be evaluated as one-day DOS, even though it can be repeated indefinitely.

The reason for this change is that this has been a standard on Sherlock to judge the repetitive DOS issues, while the guideline was phrased for only one-block DOS.

Relevant Issue Discussions

No specific discussion.

[aslanbekaibimov]

Why was 1 week chosen in the first place? Imo, as long as DoS can realistically be achieved for 1 week, it should not matter how many iterations the attack requires

[aslanbekaibimov]

There are some issues from time to time where achieving 1 week dos via multiple back-to-back 1-hour / 1-day dos'es is trivial and there's no way to interrupt it (except extreme actions like redeploying), but they are still invalidated just because it's less than 1 week per iteration (I can't come up with an easy way to find them)

Perhaps it's not a big deal, and the current rule is fine.

[WangSecurity]

Yeah, I understand what you mean. I could see where longer DOSes, e.g. 3+-day, could fit in this guideline, cause only 2-3 iterations are needed to achieve 7-day DOS. However, 1-day DOS would require 7 iterations of the attack, and 1-hour DOS would be 168 iterations to achieve 7 days. From my perspective, it conflicts quite with common sense, since these attacks have to benefit the attacker and would be just a waste of gas.

We can rephrase the guideline to the following if it makes more sense:

If a single occurrence of the attack results in a denial of service (DOS) for less than a week, the issue should be evaluated based on a single occurrence of the attack, even if it can be repeated indefinitely. It qualifies as a medium-level issue only if it disrupts a clearly time-sensitive function.
Note: if a single occurrence of the DOS attack is ~3 days, and it takes only ~2-3 iterations to achieve a 7-day DOS, it may be a valid finding.

However, from my perspective, making the issue Low severity even in such a scenario is well enough. However, if you think it's better to update the guideline, feel free to share your opinion and we will be glad to consider it.

[aslanbekaibimov]

Yes, I think it's better to give Judges the option to validate attacks that require only few iterations and can not be trivially interrupted. >2 days per iteration sounds fine.

[WangSecurity]

okay, I see. I've added the following:

Note: if the single occurrence of the attack is relatively long (e.g. >2 days), and it takes only 2-3 iterations to cause a 7-day DOS, it may be considered a valid finding.

[WangSecurity]

let me know if it looks good