Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`WithdrawalPool::getBatchIds` returning `batchIds` for those `_withdrawalIds` which don't even exist

shahilhussain

Summary

getBatchIds return the batchId for a given withdrawalId, but if a withdrawalId doesn't exist then it will return 0 batchId, as the codebase is not handling for those cases where withdrawalId doesn't exist

Vulnerability Details

function getBatchIds(uint256[] memory _withdrawalIds) public view returns (uint256[] memory) {
uint256[] memory batchIds = new uint256[]();
for (uint256 i = 0; i < _withdrawalIds.length; ++i) {
@> uint256 batchId;
uint256 withdrawalId = _withdrawalIds[i];
for (uint256 j = withdrawalBatchIdCutoff; j < withdrawalBatches.length; ++j) {
uint256 indexOfLastWithdrawal = withdrawalBatches[j].indexOfLastWithdrawal;
if (withdrawalId <= indexOfLastWithdrawal) {
batchId = j;
break;
}
}
@> batchIds[i] = batchId;
}
return batchIds;
}

Inside the first loop we have a variable batchId and after the end of second loop we are setting batchIds[i] = batchId;. If withdrawalId doesn't exist then batchId value will be set and the default value is 0. So it will set 0.
Example:-
-> user passes the argument [2,5,20]
-> withdrawalId 2 is in the batch1
-> withdrawalId 5 is in the batch2
-> withdrawalId 20 doesn't exist but batchId will be 0
-> final return values will be [1,2,0]

Impact

It's returning the value 0 instead of reverting

Tools Used

Manual Review

Recommendations

revert when withdrawalId doesn't exist

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.