QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Potential length mismatch in `getPoolTokenValue` function

brene

Summary

The getPoolLPTokenValue function does not verify that the length of the prices array matches the length of the tokens array. This oversight can lead to runtime errors and incorrect calculations, potentially affecting the contract's functionality and reliability.

Vulnerability Details

The getPoolLPTokenValue function assumes that the prices array and the tokens array have the same length, but it does not explicitly check this condition.

function getPoolLPTokenValue(
int256[] memory _prices,
address pool,
MULDIRECTION _direction
) internal view returns (uint256) {
uint256 poolValueInUSD;
PoolData memory poolData = IVaultExplorer(address(_vault)).getPoolData(pool);
uint256 poolTotalSupply = _vault.totalSupply(pool);
for (uint i; i < poolData.tokens.length; ) {
int256 priceScaled18 = _prices[i] * 1e18;
if (_direction == MULDIRECTION.MULUP) {
poolValueInUSD += FixedPoint.mulUp(uint256(priceScaled18), poolData.balancesLiveScaled18[i]);
} else {
poolValueInUSD += FixedPoint.mulDown(uint256(priceScaled18), poolData.balancesLiveScaled18[i]);
}
unchecked {
++i;
}
}
return poolValueInUSD / poolTotalSupply;
}

Lack of input validation for array lengths before performing operations that assume a one-to-one correspondence between elements of the two arrays.

Impact

If the arrays have different lengths, the function may attempt to access an out-of-bounds index, causing the contract to revert and also mismatched lengths can lead to incorrect pool value calculations, as each token's balance must correspond to a valid price.

Tools Used

Manual Review

Recommendations

Add a check to ensure that the prices array and the tokens array have the same length.

function getPoolLPTokenValue(
int256[] memory _prices,
address pool,
MULDIRECTION _direction
) internal view returns (uint256) {
uint256 poolValueInUSD;
PoolData memory poolData = IVaultExplorer(address(_vault)).getPoolData(pool);
uint256 poolTotalSupply = _vault.totalSupply(pool);
+ require(_prices.length == poolData.tokens.length, "Price and token length mismatch");
for (uint i; i < poolData.tokens.length; ) {
int256 priceScaled18 = _prices[i] * 1e18;
if (_direction == MULDIRECTION.MULUP) {
poolValueInUSD += FixedPoint.mulUp(uint256(priceScaled18), poolData.balancesLiveScaled18[i]);
} else {
poolValueInUSD += FixedPoint.mulDown(uint256(priceScaled18), poolData.balancesLiveScaled18[i]);
}
unchecked {
++i;
}
}
return poolValueInUSD / poolTotalSupply;
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!