Submission Details
Severity:
unexpected revert due to an out-of-bounds array access
Summary
The function performUpkeep in LSTRewardsSplitterController.sol . If splittersToCall.length is larger than accounts.length, it could indeed lead to an unexpected revert due to an out-of-bounds array access.
Vulnerability Details
function performUpkeep(bytes calldata _performData) external {
bool[] memory splittersToCall = abi.decode(_performData, (bool[]));
bool splitterCalled;
for (uint256 i = 0; i < splittersToCall.length; ++i) {
if (splittersToCall[i] == true) {
splitters[accounts[i]].performUpkeep(""); // here
splitterCalled = true;
}
}
if (splitterCalled == false) {
revert InvalidPerformData();
}
}
When the length of splittersToCall provided by the user exceeds the length of accounts, it will attempt to access non-existent data in accounts, leading to potential issues.
Recommendations
We introduce a new variable iterationLength which is set to the smaller of splittersToCall.length and accounts.length.
function performUpkeep(bytes calldata _performData) external {
bool[] memory splittersToCall = abi.decode(_performData, (bool[]));
bool splitterCalled;
// Ensure we don't iterate beyond the smaller of the two arrays
uint256 iterationLength = splittersToCall.length < accounts.length ? splittersToCall.length : accounts.length;
for (uint256 i = 0; i < iterationLength; ++i) {
if (splittersToCall[i] == true) {
splitters[accounts[i]].performUpkeep("");
splitterCalled = true;
}
}
if (splitterCalled == false) {
revert InvalidPerformData();
}
}
Updates
Prize pool breakdown
Total prize
50,000 USDC
nSLOC
2,53020 USDC / LOC
42,000 USDC
4,250 USDC
3,750 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.