DittoETH

Ditto
DeFiFoundryOracle
55,000 USDC
View results
Submission Details
Severity: high
Invalid

Lack of Input Validation flagShort

Summary

Lack of Input Validation flagShort

Vulnerability Details

in the flagShort function, the asset, shorter, and id parameters are used directly without any validation. If an attacker is able to call this function with malicious inputs, it could potentially lead to issues.

Impact

Tools Used

Recommendations

To resolve this issue, you should add input validation checks for the asset, shorter, and id parameters in the flagShort function.

For the asset parameter, you should check if it's a valid contract address. You can use the isContract function to check if the address has code associated with it.

For the shorter parameter, you should check if it's a non-zero address.

For the id parameter, you should check if it's within the valid range of IDs that your system supports.

Here is an example of how you can add these checks:

function flagShort(address asset, address shorter, uint8 id, uint16 flaggerHint)
external
isNotFrozen(asset)
nonReentrant
onlyValidShortRecord(asset, shorter, id)
{
require(asset != address(0) && isContract(asset), "Invalid asset address");
require(shorter != address(0), "Invalid shorter address");
require(id >= 0 && id <= MAX_ID, "Invalid id");
// rest of the code
}

Please replace MAX_ID with the maximum ID that your system supports. Also, you need to implement the isContract function. Here is a simple implementation:

function isContract(address _addr) private view returns (bool) {
uint32 size;
assembly {
size := extcodesize(_addr)
}
return (size > 0);
}

These checks will ensure that the function only processes valid inputs, which will make your contract more secure and robust.

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: User input validation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.