DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Input Validation flagShort

0xch

Summary

Lack of Input Validation flagShort

Vulnerability Details

in the flagShort function, the asset, shorter, and id parameters are used directly without any validation. If an attacker is able to call this function with malicious inputs, it could potentially lead to issues.

Impact

Tools Used

Recommendations

To resolve this issue, you should add input validation checks for the asset, shorter, and id parameters in the flagShort function.

For the asset parameter, you should check if it's a valid contract address. You can use the isContract function to check if the address has code associated with it.

For the shorter parameter, you should check if it's a non-zero address.

For the id parameter, you should check if it's within the valid range of IDs that your system supports.

Here is an example of how you can add these checks:

function flagShort(address asset, address shorter, uint8 id, uint16 flaggerHint)

external

isNotFrozen(asset)

nonReentrant

onlyValidShortRecord(asset, shorter, id)

{

require(asset != address(0) && isContract(asset), "Invalid asset address");

require(shorter != address(0), "Invalid shorter address");

require(id >= 0 && id <= MAX_ID, "Invalid id");

// rest of the code

}

Please replace MAX_ID with the maximum ID that your system supports. Also, you need to implement the isContract function. Here is a simple implementation:

function isContract(address _addr) private view returns (bool) {

uint32 size;

assembly {

size := extcodesize(_addr)

}

return (size > 0);

}

These checks will ensure that the function only processes valid inputs, which will make your contract more secure and robust.

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: User input validation

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.