stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Array length mismatch vulnerability in `performUpkeep`

0xtheblackpanther

Summary

The RewardsInitiator contract containing the performUpkeep function. The review focused on potential vulnerabilities related to array lengths and out-of-bounds array access. A specific concern was identified where the lengths of arrays strategies and strategiesToUpdate were not explicitly checked for mismatches before accessing array indices in a loop.

Vulnerability Details

The performUpkeep function may be susceptible to out-of-bounds array access if the lengths of arrays strategies and strategiesToUpdate do not match. The code lacks a check to ensure that the indices provided in strategiesToUpdate are within the valid range of the strategies array.

Code Snippet:

function performUpkeep(bytes calldata _performData) external {

address[] memory strategies = stakingPool.getStrategies();

uint256[] memory strategiesToUpdate = abi.decode(_performData, (uint256[]));

// Check for a mismatch in array lengths

if (strategiesToUpdate.length > strategies.length) {

revert MismatchedArrayLengths();

}

if (strategiesToUpdate.length == 0) revert NoStrategiesToUpdate();

for (uint256 i = 0; i < strategiesToUpdate.length; ++i) {

if (IStrategy(strategies[strategiesToUpdate[i]]).getDepositChange() >= 0) revert PositiveDepositChange();

}

stakingPool.updateStrategyRewards(strategiesToUpdate, "");

}

Impact

If a mismatch in array lengths occurs, the contract may attempt to access out-of-bounds indices in the strategies array, leading to a runtime error and causing the entire transaction to revert. This could result in unexpected behavior when Chainlink automation calls performUpkeep.

POC

Scenario:

strategies: 2 items.
strategiesToUpdate: 3 items.

First Iteration (i = 0):
- Check on strategiesToUpdate[0] succeeds as it points to a valid index in strategies.
Second Iteration (i = 1):
- Check on strategiesToUpdate[1] succeeds as it points to a valid index in strategies.
Third Iteration (i = 2):
- Attempt to check strategiesToUpdate[2] fails, as it points to an index outside the valid range of the 2-item strategies array.

Result:

The third iteration attempts an out-of-bounds access, risking unexpected behavior and potential transaction revert.

Tools Used

Manual code review.

Recommendations

Mismatched Array Length Check: Implement a check to ensure that the lengths of arrays strategies and strategiesToUpdate match before proceeding to the loop. This check should be performed at the beginning of the performUpkeep function.

// Check for a mismatch in array lengths

if (strategiesToUpdate.length > strategies.length) {

revert MismatchedArrayLengths();

}

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

0xtheblackpanther Submitter

over 1 year ago

0kage Lead Judge

over 1 year ago

0xtheblackpanther Submitter

over 1 year ago

0kage Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.