Submission Details
Severity:
Consider checking Enumerable set return values for proper handling of activeMarketsIds
Summary
Vulnerability Details
activeMarketsIds is implemented as Enumerable set. It's add or remove fucntion returns a boolean. But the return value is not checked in the code.
EnumerableSet.UintSet activeMarketsIds;
The code doesn't check the return value of self.activeMarketsIds.remove(marketId).
function updateActiveMarkets(
Data storage self,
uint128 marketId,
SD59x18 oldPositionSize,
SD59x18 newPositionSize
)
internal
{
GlobalConfiguration.Data storage globalConfiguration = GlobalConfiguration.load();
// if this is a new position
if (oldPositionSize.isZero() && !newPositionSize.isZero()) {
// if this account has no other active positions
if (!globalConfiguration.accountsIdsWithActivePositions.contains(self.id)) {
// then record it into global config as an account having active positions
globalConfiguration.accountsIdsWithActivePositions.add(self.id);
}
// add this market id as active for this account
self.activeMarketsIds.add(marketId);
}
// if the existing position was closed
else if (oldPositionSize.neq(SD59x18_ZERO) && newPositionSize.eq(SD59x18_ZERO)) {
// remove this market as active for this account
self.activeMarketsIds.remove(marketId);
// if the account has no more active markets
if (self.activeMarketsIds.length() == 0) {
// then remove the account from active accounts in global config
globalConfiguration.accountsIdsWithActivePositions.remove(self.id);
}
}
}
It's generally good practice to check the return values of operations like remove() on sets.
Impact
Low
Tools Used
Manual review
Recommendations
Check return value of enumerable set's remove function
Updates
Prize pool breakdown
Total prize
60,000 USDC
nSLOC
2,87821 USDC / LOC
50,000 USDC
5,500 USDC
4,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.