Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Input Validation and Inefficient Event Emission in `TokenManager::updateTokenWhiteListed` Function

0x5chn0uf

Summary

The TokenManager::updateTokenWhiteListed function lacks proper input validation and emits an excessive number of events. It doesn't check for zero-address tokens or duplicate addresses in the input array, which could lead to unnecessary gas consumption and potential logical errors.

Additionally, the function emits an event for each token update, which could result in an excessive number of event emissions for large arrays.

Vulnerability Details

function updateTokenWhiteListed(

address[] calldata _tokens,

bool _isWhiteListed

) external onlyOwner {

uint256 _tokensLength = _tokens.length;

for (uint256 i = 0; i < _tokensLength; ) {

// What if _tokens[i] == address(0)?

@> _updateTokenWhiteListed(_tokens[i], _isWhiteListed);

unchecked {

++i;

}

function _updateTokenWhiteListed(

address _token,

bool _isWhiteListed

) internal {

tokenWhiteListed[_token] = _isWhiteListed;

// Will emit for each token

@> emit UpdateTokenWhiteListed(_token, _isWhiteListed);

}

In this function:

There's no check for zero addresses in the _tokens array.
There's no check for duplicate addresses.
An event is emitted for each token update, regardless of the array size.

Impact

Unnecessary gas consumption due to processing invalid or duplicate addresses.
Potential logical errors in the contract's state if zero addresses are whitelisted.
Excessive gas costs and blockchain bloat due to emitting an event for each token update, especially for large arrays.
Reduced efficiency of off-chain monitoring systems due to an unnecessarily large number of events.

Tools Used

Manual Review

Recommendations

Implement input validation:
1. Add a check for zero addresses.
2. Consider adding a check for duplicate addresses (if that's a concern for the business logic).
Optimize event emission:
1. Emit a single event for the entire batch update instead of individual events.

+ event UpdateTokenWhitelistedBatch(address[] tokens, bool isWhiteListed);

function updateTokenWhiteListed(

address[] calldata _tokens,

bool _isWhiteListed

) external onlyOwner {

uint256 _tokensLength = _tokens.length;

+ require(_tokensLength > 0, "Empty array");

for (uint256 i = 0; i < _tokens.length;) {

+ address token = _tokens[i];

+ require(token != address(0), "Zero address");

+ tokenWhiteListed[token] = _isWhiteListed;

- _updateTokenWhiteListed(_tokens[i], _isWhiteListed);

unchecked {

++i;

}

+ emit UpdateTokenWhitelistedBatch(_tokens, _isWhiteListed);

}

- function _updateTokenWhiteListed(

- address _token,

- bool _isWhiteListed

- ) internal {

- tokenWhiteListed[_token] = _isWhiteListed;

- emit UpdateTokenWhiteListed(_token, _isWhiteListed);

- }

This revised version includes input validation and emits a single event for the entire batch, significantly reducing gas costs and improving efficiency.

Updates

Lead Judging Commences

0xnevi Lead Judge

12 months ago

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.