Submission Details
Severity:
Missing Input Validation for addRoute Function
Summary
Missing input validation on `StrategyMainnet::addRoute` can result to Missing pools or incorect routing
Vulnerability Details
The `onlyManagement` is authorized to update `addRoute` function with pool addresses and _swapParams, but when this is done, they is no check as to whether the length of each input is valid (_routes, _swapParams, _pools).
This could lead to incomplete swap configurations or cause the protocol to malfunction when attempting to execute swaps.
function addRoute(
address[11] calldata _route,
uint256[5][5] calldata _swapParams,
address[5] calldata _pools
) external onlyManagement {
routes[nRoutes] = _route;
swapParams[nRoutes] = _swapParams;
pools[nRoutes] = _pools;
nRoutes++;
}
Source code: https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L56
Impact
The Impact will be High, as it will break the protocol functionality, because the input data needs to be complete, most especially the route which requires that the array must always include 11 addresses.
likeliHood:low, can only occur when input is not complete.
Tools Used
Manual Review
Recommendations
implement a check on the input length to validate it corectness and completeness.
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.