Truncation in assetId if assets exceed 255
Summary
In OwnerFacet.sol the createMarket function has an explicit conversion bug in which the higher order bits of an asset ID will be cut off if the number of assets exceeds 255.
Vulnerability Details
In OwnerFacet.sol the function createMarket has an explicit conversion in which the length of a dynamic array (uint256) is explicitly converted into type uint8. This conversion will have no errors as long as the number of assets does not exceed 255, (2^8 - 1). In the case the assets array in the AppStorage exceeds 255, the higher order bits of the value of the assetId in the Assets data structure will be truncated, resulting in non unique, and duplicate assetId's.
Impact
The main impact is that in the Asset Data Structure assetId will not be unique once the number of assets exceeds 255.
Tools Used
Manual Review
Recommendations
Set a hard limit on the number of assets if these were not expected to exceed 255.
Increase the size of the assetId variable in the Assets struct.
Completely remove the assetId variable as it appears to have no impact to the functioning of the protocol.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.