Weight array validation vulnerability in manual weight setting function
Summary
The setWeightsManually function allows you to manually alter weights for assets in a pool. When _numberOfAssets is less than the length of the _weights array, the function only validates a portion of the weights, leaving unvalidated values in the array. This presents possible dangers since unvalidated items can avoid intended limits.
Vulnerability Details
Issue: Partial Validation of _weights Array
The validation loop in the setWeightsManually function checks weights only for indices less than _numberOfAssets:
If _numberOfAssets is less than _weights.length, weights at indices greater than or equal to _numberOfAssets are not validated. These unchecked weights may contain invalid or malicious values.
Impact
The vulnerability can lead to Bypassing Validation, as unvalidated elements in the _weights array could have negative values or exceed the 1e18 limit, which might disrupt pool calculations or lead to undefined behavior.
Tools Used
Manual review
Recommendations
Validate Entire _weights Array:
Ensure that all elements in the _weights array are validated, irrespective of the _numberOfAssets. Modify the validation loop as follows:
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.