Lack of proper array length validation between the strategies array and _data array
Summary
The _withdrawLiquidity function in the contract lacks proper array length validation between the strategies array and the _data array, leading to a potential array length mismatch and an out-of-bounds access vulnerability.
Vulnerability Details
The function _withdrawLiquidity assumes that the length of the strategies array matches the length of the _data array passed as a parameter. However, no validation is in place to ensure this. If the lengths differ, the function attempts to access elements beyond the bounds of the shorter array, potentially leading to out-of-bounds errors or unintended behavior during execution.
Specifically, the line _data[i - 1] does not check if _data has a sufficient number of elements to match the size of the strategies array. This can lead to the contract attempting to access an index that does not exist, causing a runtime exception or transaction failure.
Impact
If the array length mismatch is exploited, it could result in:
Transaction failures and reverts, halting the liquidity withdrawal process.
The contract may revert unexpectedly, disrupting normal operations and affecting the user experience.
Tools Used
Manual review of the _withdrawLiquidity function.
Recommendations
Array Length Check: Implement a check at the beginning of the _withdrawLiquidity function to ensure that the length of _data matches the length of the strategies array. For example:
This ensures that both arrays are of the same length and prevents out-of-bounds access.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.