Arithmetic Underflow in Loops
Summary
In onAfterRemoveLiquidity function, there is a potential for arithmetic underflow in the loop iterating over the feeDataArray when processing liquidity removal. This issue arises from the use of a decrementing loop that does not properly handle the underflow condition for a uint256 variable. This can lead to unintended behavior, including infinite loops and out-of-bounds access.
Vulnerability Details
In the onAfterRemoveLiquidity the issue is found in the line of code below
The loop initializes
itolocalData.feeDataArrayLength - 1, which is the last valid index of thefeeDataArray.When
ireaches0, the next decrement (--i) causesito underflow, wrapping around to2^256 - 1.This results in an infinite loop, as the condition
i >= 0will always evaluate to true for unsigned integers.
Impact
The contract may become unresponsive, consuming gas indefinitely, which can lead to denial of service for users attempting to interact with the contract.
Tools Used
Manual Review
Recommendations
Modify the loop to start from localData.feeDataArrayLength and check that i is greater than 0 to prevent underflow.
Lead Judging Commences
invalid_onAfterRemoveLiquidity_loop_underflow
That’s definitely not the best way to handle that but there is indeed no impact. If someone tries to get more than their deposits, it must revert, and thanks to that "fancy mistake"(or genius code ?), it does.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.