SDLPool:getLockIdsByOwner used Assert instead of Required
Summary
Used assert to compare and check values are equal which is mostly used in Debug or Testing.
Vulnerability Details
The vulnerability in the getLockIdsByOwner function you've described seems to be related to the use of assert for error handling. Using assert in this way can lead to a poor user experience and potential misunderstandings about the contract's behavior. Here's a detailed breakdown of the issue and a proposed rewrite for better error handling:
Current Vulnerability
-
Use of assert: In Solidity, assert is typically used for checking invariants and conditions that should always be true and is meant for internal errors. When an assert fails, it consumes all remaining gas and reverts the transaction. This is not ideal for error handling in regular contract logic.
-
Poor Error Messaging: When assert fails, it does not provide a clear error message, making it difficult for users (especially those who are not developers) to understand why a transaction failed.
-
Gas Consumption: Failing an assert statement consumes all remaining gas, which can be costly for the user.
Impact
No clear error message
Tools Used
Manual Review
Recommendations
To improve this function, consider using require instead of assert. require is more suitable for validating inputs and conditions within the contract's functions and allows you to provide a custom error message.
Here's how you might rewrite the function:function
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.