Lack of Input Validation in `MultiHopOracle.sol::constructor()`, doesn't check for empty array.
Vulnerability Details:
The constructor(HopConfig[] memory _oracles) in the contract MultiHopOracle.sol does not validate the input _oracles. If an empty array is passed, the contract will not function correctly.
Pushing an empty array into the oracles array might not cause immediate malfunction but can lead to unexpected behavior in the future, especially when the code interacts with the oracles.length variable.
We know that no users intentionally pass an empty array as input to the constructor. However, still, there's a slight chance of this happening due to errors in user-generated data i.e. a user might accidentally enter an empty array due to a typo or misunderstanding.
Impact:
While an empty array might not be a common exploit attempt, a malicious user could pass a specially crafted EMPTY ARRAY to explode contract functionality. A successful exploit could lead to the contract becoming unusable until a fix is deployed.
Recommended Mitigation:
Add a check to validate user input in MultiHopOracle.sol::constructor i.e:
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.