poolsFeeData[pool][_to]'s length is not checked when afterUpdate()
Summary
poolsFeeData[pool][_to]'s length is not checked when afterUpdate()
Vulnerability Details
poolsFeeData[pool][user]' length should not be over 100. When addLiquidityProportional(), poolsFeeData[pool][user]' length is checked.
However when afterUpdate(), transfer to "address _to", poolsFeeData[poolAddress][to].length is not checked, which could cause poolsFeeData[poolAddress][_to].length to be over 100. Please refer to the following steps:
1, poolsFeeData[pool][addressA]' length is 100.
2, poolsFeeData[pool][addressB]' length is 60.
3, call afterUpdate() mutiple times, transfer addressB's all 60 tokens to addressA.
4, poolsFeeData[pool][addressA]' length will be 160.
Impact
Some of poolsFeeData[pool][user]'s length will be over 100.
Tools Used
manually reviewed
Recommendations
check the poolsFeeData at the quite beginning of function afterUpdata()
when addLiquidityProportional(), seems better to change "if (poolsFeeData[pool][msg.sender].length > 100)" to "if (poolsFeeData[pool][msg.sender].length >= 100)"
Lead Judging Commences
finding_afterUpdate_does_not_check_limit_NFT_per_user
Likelihood: Medium/High, anyone can receive an unlimited NFT number but will cost creation of LP tokens and sending them. Impact: Low/Medium, DoS the afterUpdate and addLiquidityProportional but will be mitigable on-chain because a lot of those NFT can be burn easily in onAfterRemoveLiquidity.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.