Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Input Validation in `OWPIdentity::burnBatchMultiple` Could Lead to Unintended Outcomes and Manipulation of transaction history

0xmaxi

Summary

The burnBatchMultiple function is missing validation to ensure that the input arrays (tos, ids, and amounts) are non-empty. Currently, the function only checks that tos, ids, and amounts have matching lengths, but it does not enforce a minimum length. Without this check, the function can be called with empty arrays, leading to unintended behavior.

Vulnerability Details

The following example demonstrates a silent failure due to empty array inputs:

// Call `burnBatchMultiple` with empty arrays:

address[] memory tos;

uint256[] memory ids;

uint256[] memory amounts;

OWPIdentity.burnBatchMultiple(tos, ids, amounts);

This call does not trigger any burns but still incurs gas fees for the caller. Additionally, if transaction event logging is implemented within _burn or burnBatchMultiple, events would be emitted despite no burn actually taking place.

Impact

Wasted Gas:
If tos.length is 0, the function does not execute the burn loop, but gas is still spent on:

Function call overhead
Parameter validation for array length matches
Array length checks within the require statements

Although no actual operations occur, the caller incurs gas costs, making this an inefficient use of resources.

Silent Failures:
When empty arrays are passed, the function completes successfully without performing any burns. This silent failure could lead to situations where users or calling contracts assume tokens were burned when they were not, potentially resulting in misleading outcomes or faulty assumptions in downstream logic.

Security Implications:
Malicious actors could exploit this lack of validation by calling the function with empty arrays. This could allow for the creation of misleading transaction histories, as transaction events would be emitted despite no actual burn occurring. Attackers could use this to manipulate on-chain data or mislead users about burn events that never happened.

Tools Used

Manual Review

Recommendations

Add a check to ensure the input arrays are non-empty before proceeding with the burn operations. This could be implemented as follows:

function burnBatchMultiple(address[] memory tos, uint256[] memory ids, uint256[] memory amounts)

public

onlyRole(MINTER_ROLE)

{

+ require(tos.length > 0, "Empty array not allowed");

+ require(ids.length > 0, "Empty array not allowed");

+ require(amounts.length > 0, "Empty array not allowed");

require(tos.length == ids.length, "Invalid input");

require(amounts.length == ids.length, "Invalid input");

for(uint256 i = 0; i < tos.length; i++){

require(tos[i] != address(0), "Invalid address");

_burn(tos[i], ids[i], amounts[i]);

}

This simple validation step will prevent wasted gas on empty calls, ensure that silent failures do not occur, and mitigate potential manipulation of transaction history.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.