stake.link

Summary

In SDLPoolCCIPControllerPrimary contract, an issue is present in the _buildCCIPMessage function. The function lacks validation for array length matching between _tokens and _tokenAmounts. This could potentially lead to unexpected behavior and runtime issues if the arrays provided as arguments have different lengths.

Vulnerability Details

The _buildCCIPMessage function does not include a check to ensure that the lengths of the _tokens and _tokenAmounts arrays match. This oversight could result in array out-of-bounds errors, data inconsistency, and potential reentrancy vulnerabilities if the function is used with mismatched array lengths.

The issue is present in the _buildCCIPMessage function within the SDLPoolCCIPControllerPrimary contract.

POC

In Solidity, arrays are zero-indexed, meaning the index of the first element is 0, the second element is at index 1, and so on. If you attempt to access an array element at an index beyond the array's declared length, you may encounter "Index out of bounds" errors. Let's break down how this issue can arise in the context of the our scenario:

Suppose we have the following arrays:

Now, let's say you attempt to access the fifth element of _tokenAmounts within a loop or by directly referencing it:

In this loop, when i reaches 4 (the last valid index for _tokenAmounts), the attempt to access _tokenAmounts[4] would go beyond the declared length of _tokenAmounts, which is 4.

Since _tokenAmounts is declared with a length of 4, valid indices for this array are 0, 1, 2, and 3. Attempting to access an element at index 4 would result in an "Index out of bounds" error. Solidity does not automatically resize arrays or pad them with default values; it simply does not allow access to elements beyond the declared length.

This situation can lead to unexpected behavior, crashes, or contract reversion, making it crucial to validate array lengths before attempting to access their elements to prevent such errors in smart contract code.

Impact

The absence of array length validation in the _buildCCIPMessage function poses a high-severity risk, potentially leading to inconsistent data processing and compromising the correctness and security of the entire system, especially in critical cross-contract interactions.

Tools Used

Manual review.

Recommendations

To address this issue and enhance the robustness of the _buildCCIPMessage function, we recommend the following:

Add Array Length Validation:

• Implement a check at the beginning of the function to ensure that the lengths of _tokens and _tokenAmounts arrays match. Revert the transaction if a mismatch is detected.