Submission Details
Severity:
Missing check for the length of the `reserves` in calcLPTokenUnderlying
Summary
It assumes the length of the reserves array is 2, but there is no checking for it.
If the array has a different size, it could cause unexpected behavior or errors.
Vulnerability Details
function calcLPTokenUnderlying(
uint256 lpTokenAmount,
uint256[] calldata reserves, // @audit missing check for the length of reserves
uint256 lpTokenSupply,
bytes calldata
) external pure returns (uint256[] memory underlyingAmounts) {
underlyingAmounts = new uint256[](2);
underlyingAmounts[0] = lpTokenAmount.mulDiv(reserves[0], lpTokenSupply);
underlyingAmounts[1] = lpTokenAmount.mulDiv(reserves[1], lpTokenSupply);
}
Impact
It could cause unexpected behavior or errors.
Tools Used
Manual
Recommendations
Consider add the checking for the length of reserves.
if (reserves.length != 2) revert("Invalid length");
or calculate the underlyingAmounts from reserves length like this.
underlyingAmounts = new uint256[](reserves.length);
for (uint256 i; i < reserves.length; ++i) {
underlyingAmounts[i] = lpTokenAmount.mulDiv(reserves[i], lpTokenSupply);
}
Updates
Lead Judging Commences
giovannidisiena about 1 year ago
Submission Judgement Published Reason: Design choice
Assigned finding tags:
Informational/Invalid
Prize pool breakdown
Total prize
12,000 USDC
nSLOC
47925 USDC / LOC
10,000 USDC
1,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.