Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

No Maximum Routes Limit in addRoute

0xvd

Summary

The addRoute function allows the addition of an unlimited number of routes without imposing any restriction on the maximum number of routes that can be added.

This lack of limitation could lead to high gas costs and Denial of Service (DoS) risks during contract interactions, especially when managing large numbers of routes.

Vulnerability Details

The addRoute function increments the nRoutes counter every time a new route is added, without checking if the number of routes has exceeded a reasonable limit:

function addRoute(
address[11] calldata _route,
uint256[5][5] calldata _swapParams,
address[5] calldata _pools
) external onlyManagement {
routes[nRoutes] = _route;
swapParams[nRoutes] = _swapParams;
pools[nRoutes] = _pools;
nRoutes++;
}

Impact

There is no restriction on how many routes can be added to the routes array.

The lack of a limit increases storage requirements and gas costs during interactions with the routes array.

Excessive routes can lead to performance issues, making the contract unusable due to gas constraints.

Recommendations

Introduce a maximum limit on the number of routes that can be added, and enforce it in the addRoute function.

+ uint256 public constant MAX_ROUTES = 10;
function addRoute(
address[11] calldata _route,
uint256[5][5] calldata _swapParams,
address[5] calldata _pools
) external onlyManagement {
+ require(nRoutes < MAX_ROUTES, "Maximum routes limit reached");
routes[nRoutes] = _route;
swapParams[nRoutes] = _swapParams;
pools[nRoutes] = _pools;
nRoutes++;
}
Updates

Appeal created

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.