Lack of Bounds Checking in User Management, it could lead to accessing non-existing elements and result in array out-of-bounds
Summary
The manageUsersInPrivatePool function in the Distribution contract lacks bounds checking when iterating over the users_ and amounts_ arrays, which may result in array out-of-bounds errors.
Vulnerability Details
POC
Description
The function manageUsersInPrivatePool iterates over the users_ and amounts_ arrays without verifying that the array lengths match. If the lengths differ, it could lead to accessing non-existing elements and result in array out-of-bounds errors.
Impact
The lack of bounds checking may lead to runtime errors, causing unexpected behavior or contract failure. An attacker could potentially exploit this vulnerability to manipulate the array lengths and cause the contract to behave in unintended ways.
Tools Used
No specific tools were used to identify this issue; it was identified through manual code review.
Recommendations and Mitigation
Implement bounds checking to ensure that the lengths of users_ and amounts_ arrays match before iterating over them. Additionally, consider handling potential length mismatches gracefully by reverting with a descriptive error message if the lengths do not match.
Adding the check require(users_.length == amounts_.length, "DS: array lengths do not match"); ensures that the array lengths are consistent before proceeding with the iteration, preventing array out-of-bounds errors.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.