Absence of Array Length Validation in MultiHopOracle.sol
Summary
MultiHopOracle.sol is designed for tokens where no direct oracle/price feeds exist. However, the constructor() lacks a validation statement for the _oracles variable. If the length of _oracles is zero, the _getData() function cannot retrieve data, rendering the contract ineffective in fulfilling its purpose.
Vulnerability Details
This is the constructor function in MultiHopOracle.sol. As shown in the code snippet, there is no validation to ensure the _oracles array is non-empty. The issue originates from the absence of a check to confirm that _oracles.length > 0
Impact
If the oracles array length is zero, the _getData() function will not function correctly as there will be no valid oracles to pull data from.
Tools Used
Recommendations
We have to add a validation check in the constructor to ensure the _oracles array is non-empty
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.