Lack of validation of Input Parameters of _depositVaults
Summary
In the VaultControllerStrategy.sol contract, the _depositToVaults function lacks validation for its input parameters, specifically _startIndex, _toDeposit, _minDeposits, and _maxDeposits. Without proper validation, incorrect or malicious inputs could lead to unexpected behavior, such as incorrect vault access, improper deposits, or potential contract malfunctions.
Impact
-
Invalid Vault Access:
Out-of-Bounds Errors: If_startIndexis greater than or equal to the number of vaults in the system(vaults.length), the function might attempt to access a non-existent vault, leading to a potential error or failure in the contract. This could result in transaction reverts or worse, depending on how the function handles this condition. -
Unintentional Zero Deposits:
Zero or Negative Deposit Amounts: Without validation on_toDeposit,the function could potentially process deposits with a value of zero or even less, which could be either an inefficient transaction or a way to exploit the contract, depending on how negative values are handled.
Recommendations
-
Input Validation for Vault Index and deposits:
Validate _startIndex: Ensure that_startIndexis a valid index within the vaults array by checking it against the total length of the vaults.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.