Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

burnBatchMultiple Length Mismatch Check

kunwarsiddarths

Summary

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/OWPIdentity.sol

The function burnBatchMultiple is intended to burn tokens across multiple accounts and token types. It verifies that the lengths of the tos (addresses), ids (token IDs), and amounts (amounts to burn) arrays are consistent. However, the function currently checks for the lengths of tos and ids, and amounts and ids, but it does not check if the lengths of tos and amounts are also equal.

require(tos.length == ids.length, "Invalid input");

require(amounts.length == ids.length, "Invalid input");

The above checks ensure that tos and amounts match the length of ids, but no verification is done to ensure tos.length == amounts.length.

Vulnerability Details

Impact

Incorrect Behavior: If tos.length does not equal amounts.length, the function will proceed without validation, which can lead to unintended results. For example, if there are more tos than amounts, it could cause the contract to attempt burning more tokens than intended, resulting in an incorrect or unexpected burn amount.

Potential Risks:

Runtime Errors: If the array lengths mismatch and the contract attempts to burn tokens from an address not specified in the arrays, it could cause the transaction to fail or behave unpredictably.
Loss of Tokens: If the arrays are mismatched, it could potentially burn an incorrect amount of tokens from an address. This could lead to unintended loss of tokens or discrepancies in the balances.

Exploitability

Exploitable Scenario: A malicious actor or an unintentional error could pass in arrays with mismatched lengths (e.g., tos with more addresses than amounts). This could result in burning tokens from the wrong addresses or burning more tokens than intended, depending on the implementation details.
Difficulty: The exploit is not difficult to trigger, as it simply requires passing arrays of mismatched lengths to the burnBatchMultiple function.

Tools Used

Manual Review

Recommendations

Validation Addition: Add an additional check to verify that the lengths of tos and amounts are the same. This ensures that the arrays being passed to the function are consistent and prevents unintended behavior.

Update the function as follows:

require(tos.length == amounts.length, "Invalid input");

require(tos.length == ids.length, "Invalid input");

require(amounts.length == ids.length, "Invalid input");

This fix ensures that all arrays (tos, ids, and amounts) must have the same length, preventing any inconsistencies and ensuring that the burn operation is carried out correctly.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

0xbrivan2 Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.