QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Array length restriction violated in UpliftOnlyExample::addLiquidityProportional

ragnarok

Summary

The UpliftOnlyExample contract enforces a maximum length of 100 for the poolsFeeData[pool][user] array. However, due to a logical error in the UpliftOnlyExample::addLiquidityProportional function, the condition poolsFeeData[pool][msg.sender].length > 100 allows the array to grow to a maximum of 101 elements. Specifically, when poolsFeeData[pool][msg.sender].length == 100, the condition passes, permitting an additional element to be pushed into the array.

UpliftOnlyExample::addLiquidityProportional function:

function addLiquidityProportional(
address pool,
uint256[] memory maxAmountsIn,
uint256 exactBptAmountOut,
bool wethIsEth,
bytes memory userData
) external payable saveSender(msg.sender) returns (uint256[] memory amountsIn) {
// Max poolsFeeData[pool][user].length = 101 not 100 as expected
=> if (poolsFeeData[pool][msg.sender].length > 100) {
revert TooManyDeposits(pool, msg.sender);
}
...
}

Impact

The poolsFeeData[pool][user] array can exceed the intended maximum length.

Recommendations

Update the UpliftOnlyExample::addLiquidityProportional function:

function addLiquidityProportional(
address pool,
uint256[] memory maxAmountsIn,
uint256 exactBptAmountOut,
bool wethIsEth,
bytes memory userData
) external payable saveSender(msg.sender) returns (uint256[] memory amountsIn) {
- if (poolsFeeData[pool][msg.sender].length > 100) {
+ if (poolsFeeData[pool][msg.sender].length >= 100) {
revert TooManyDeposits(pool, msg.sender);
}
...
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_Uplift_101_deposit_strict_equal

Only 1 more NFT won’t have any impact. Informational.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!