DeFiFoundrySolidity
16,653 OP
View results
Submission Details
Severity: high
Invalid

Missing Route Bounds Check in `claimAndSwap` in `StrategyMainnet.sol`

Summary

The claimAndSwap function does not validate whether the _routeNumber parameter falls within the valid range of configured routes.

This omission could result in out-of-bounds array access, causing the transaction to revert or potentially introducing exploitable vulnerabilities in certain environments.

Vulnerability Details

The claimAndSwap function uses the _routeNumber parameter to access routes, swapParams, and pools arrays without verifying that _routeNumber is within the valid range of configured routes.

function claimAndSwap(
uint256 _amountClaim,
uint256 _minOut,
uint256 _routeNumber
) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
router.exchange(
routes[_routeNumber],
swapParams[_routeNumber],
_amountClaim,
_minOut,
pools[_routeNumber],
address(this)
);
}

Impact

If _routeNumber exceeds the length of the routes, swapParams, or pools arrays, it will cause an out-of-bounds access error, reverting the transaction.

An attacker could exploit this vulnerability to disrupt the functionality of the protocol by sending an invalid _routeNumber.

Recommendations

Add a validation check to ensure _routeNumber is within the valid range of configured routes.

function claimAndSwap(
uint256 _amountClaim,
uint256 _minOut,
uint256 _routeNumber
) external onlyKeepers {
+ require(_routeNumber < nRoutes, "Invalid route number");
transmuter.claim(_amountClaim, address(this));
router.exchange(
routes[_routeNumber],
swapParams[_routeNumber],
_amountClaim,
_minOut,
pools[_routeNumber],
address(this)
);
}
Updates

Appeal created

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.