`giveLoan` doesn't check if provided array lengths are equal
Summary
giveLoan accepts 2 different arrays as input, iterates through both of them but misses a check to ensure both have equal length.
Vulnerability Details
As mentioned above, the given function is missing a check to ensure that array lengths are equal. To iterate in giveLoan, the length of loanIds is used. If the other array, poolIds, is shorter, this will cause out-of-bounds indexing and revert. If poolIds is longer, then a part of poolIds will remain unchecked as the iterations are made in respect to the length of loanIds. As an example of the impact, frontends can display faulty information if they provide arrays with bad lengths & assume the unchecked part of poolIds was checked, when it indeed was not.
The extent is limited to this as poolIds isn't read any further once the loop exits. If it was, the "unchecked" section of poolIds could have those pools partially populated with data which could lead to a high-severity vulnerability.
Impact
Medium - can cause reverts or unchecked calldata.
Reverts if
loanIds.length > poolIds.length.Leaves part of
poolIdsunchecked ifloanIds.length < poolIds.length.
Tools Used
Manual review.
Recommendations
Add a check to the start of the giveLoan function, ensuring the array lengths are equal. Pseudocode with custom errors:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.