Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Mismatch Between NatSpec and Function Implementation (Documentation + Actual Function Parameters)

scoolj

Summary

The NatSpec comments for the createTradingAccountAndMulticall function do not fully document all the parameters and functionality of the function. This mismatch can lead to confusion for developers and users, potentially causing misuse of the function.

Vulnerability Details

Description: The NatSpec comment describes the function as creating a new trading account and performing multicalls using the provided data payload. It documents data as the parameter and results as the return value but omits the documentation for the referralCode and isCustomReferralCode parameters.

Root Cause: The NatSpec comments were not updated when additional parameters (referralCode and isCustomReferralCode) were introduced to the function.

Proof of Concept:

Here is the mismatched function and its current NatSpec documentation:

/// @notice Creates a new trading account and multicalls using the provided data payload.
/// @param data The data payload to be multicalled.
/// @return results The array of results of the multicall.
function createTradingAccountAndMulticall(
bytes[] calldata data,
bytes memory referralCode,
bool isCustomReferralCode
)
external
payable
virtual
returns (bytes[] memory results)
{
uint128 tradingAccountId = createTradingAccount(referralCode, isCustomReferralCode);
results = new bytes[](data.length);
for (uint256 i = 0; i < data.length; i++) {
bytes memory dataWithAccountId = bytes.concat(data[i][0:4], abi.encode(tradingAccountId), data[i][4:]);
(bool success, bytes memory result) = address(this).delegatecall(dataWithAccountId);
if (!success) {
uint256 len = result.length;
assembly {
revert(add(result, 0x20), len)
}
}
results[i] = result;
}
}

Impact

  • Developers and users might not be aware of the additional parameters, leading to improper use of the function.

  • The absence of documentation for referralCode and isCustomReferralCode can cause confusion and potential bugs in the integration or use of this function.

Tools Used

Manual Review

Recommendations

Update the NatSpec comments to include documentation for the referralCode and isCustomReferralCode parameters. Here's the updated function with comprehensive NatSpec documentation:

/// @notice Creates a new trading account and multicalls using the provided data payload.
/// @param data The data payload to be multicalled.
/// @param referralCode The referral code associated with the new trading account.
/// @param isCustomReferralCode Indicates whether the referral code is custom.
/// @return results The array of results of the multicall.
function createTradingAccountAndMulticall(
bytes[] calldata data,
bytes memory referralCode,
bool isCustomReferralCode
)
external
payable
virtual
returns (bytes[] memory results)
{
uint128 tradingAccountId = createTradingAccount(referralCode, isCustomReferralCode);
results = new bytes[](data.length);
for (uint256 i = 0; i < data.length; i++) {
bytes memory dataWithAccountId = bytes.concat(data[i][0:4], abi.encode(tradingAccountId), data[i][4:]);
(bool success, bytes memory result) = address(this).delegatecall(dataWithAccountId);
if (!success) {
uint256 len = result.length;
assembly {
revert(add(result, 0x20), len)
}
}
results[i] = result;
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.