stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Address validation vulnerability in `getLockIdsByOwner` function

0xtheblackpanther

Summary

The getLockIdsByOwner function has been audited for potential vulnerabilities and security concerns. The function is designed to retrieve lock IDs associated with a specific owner address. The audit identified a potential issue related to address validation and an assert statement within the function.

Vulnerability Details

Lack of Address Validation

The function does not validate the _owner address parameter, which could result in unexpected behavior if the zero address is passed. This lack of validation can be exploited, as passing the zero address may manipulate the assert check inside the function.

The assert statement assert(lockIdsFound == lockCount); may be manipulated when the zero address is provided as the owner. In such cases, both lockIdsFound and lockCount will be zero, causing the assert statement to pass, potentially leading to unintended consequences.

Impact

The impact of these vulnerabilities is significant. An attacker could exploit the lack of address validation to pass the zero address as the owner, manipulating the assert statement and potentially causing unexpected behavior in the contract.

POC

Copy the below function
Run the test via forge test --match-test testGetLockIdsByOwner -vvv
You will get the below results

Results:

Running 1 test for test/fuzz/FuzzTester.t.sol:FuzzTester

[PASS] testGetLockIdsByOwner() (gas: 15576)

Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.84ms

Test code:

function testGetLockIdsByOwner() public {

address zeroAddy = makeAddr("0x0");

uint256[] memory _lockIds = sdlPool.getLockIdsByOwner(zeroAddy);

uint256[] memory emptyArray;

assertEq(_lockIds, emptyArray);

}

Tools Used

Manual code review.

Recommendations

Address Validation:

Implement address validation within the getLockIdsByOwner function to ensure that the provided address is not the zero address and is a valid Ethereum address.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.