Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Account Index Initialization Vulnerability

sparrow

Summary

The PriorityPool contract contains a vulnerability in the account management system where the first account added to the system could be mistakenly treated as a new account in subsequent operations, and new accounts might be incorrectly identified as existing accounts.

Vulnerability Details

In the _deposit function, the contract uses the following logic to add new accounts:

if (accountIndexes[_account] == 0) {
accounts.push(_account);
accountIndexes[_account] = accounts.length - 1;
}

The issue arises because:

  • The accountIndexes mapping returns 0 for any new address (default value for mappings in Solidity).

  • The first account added to the accounts array will have an index of 0.
    This creates an ambiguity where accountIndexes[_account] == 0 could mean either the account is new or it's the first account in the system.

Impact

This vulnerability could lead to:

  • Duplicate entries in the accounts array.

  • Incorrect tracking of user balances or activities.

  • Potential exploitation in functions that rely on account existence checks.

  • Inconsistent state of the contract.
    The impact is significant as it affects the core functionality of account management, which is crucial for the correct operation of the staking and reward distribution mechanisms.

Tools Used

Manual code review

Recommendations

Use a sentinel value to indicate "not in system"

Updates

Lead Judging Commences

inallhonesty Lead Judge
11 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.