Incorrect Loop Counter Increment in `ReseedField` Contract
Summary
The inner loop incorrectly increments the outer loop's counter variable, leading to potential infinite loops, skipped data processing, and possible out-of-bounds array access.
Vulnerability Details
Looking at the init function;
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/4e0ad0b964f74a1b4880114f4dd5b339bc69cd3e/protocol/contracts/beanstalk/init/reseed/L2/ReseedField.sol#L49
The inner loop mistakenly uses i++ instead of j++ to increment its counter. This causes the outer loop's counter to be incremented in each iteration of the inner loop, rather than the inner loop's own counter.
Impact
If any account has more than one plot, the inner loop may never terminate. Also, most accountPlots entries may be skipped, leaving large portions of data unprocessed. As i is incremented in the inner loop, it may exceed accountPlots.length, causing an out-of-bounds access attempt and due to the skipped data, the contract's state (including calculatedTotalPods) may be incorrectly initialized.
Tools Used
Manual code review
Recommendations
Modify the inner loop to correctly increment its counter:
Lead Judging Commences
Very broken loop in ReseedField::init
Appeal created
Very broken loop in ReseedField::init
Very broken loop in ReseedField::init
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.