Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Bounds Check on orderIndex parameter in buyOrder Function can lead to Dos

rare__one

Summary

The buyOrder function in the TokenDivider.sol contract does not validate the orderIndex parameter to ensure it is within the bounds of the s_userToSellOrders[seller] array. This can lead to an out-of-bounds array access,

Vulnerability Details

The buyOrder function does not currently check if the orderIndex is within the valid range of the s_userToSellOrders[seller] array. If an invalid orderIndex is provided, it could lead to an out-of-bounds array access, causing the function to revert unexpectedly.

Impact

An attacker can exploit the lack of bounds checking on the orderIndex parameter in the buyOrder function to cause a denial-of-service (DoS) attack on the contract. Here's how:

Invalid orderIndex: By providing an orderIndex that is out of bounds (i.e., greater than or equal to the length of the s_userToSellOrders[seller] array), the attacker can cause the function to revert. This is because accessing an invalid index in the array will cause a runtime error.
Repeated Reverts: The attacker can repeatedly call the buyOrder function with an invalid orderIndex, causing the function to revert each time. This can prevent legitimate users from successfully executing the buyOrder function, effectively causing a denial-of-service.

POC

By setting my orderIndex to a very high value of 9000000000000000000000000 the transaction reverted to the initial state

[vm]from: 0x5B3...eddC4to: TokenDivider.buyOrder(uint256,address) 0xf8e...9fBe8value: 0 weidata: 0x3dd...eddc4logs: 0hash: 0x0db...595f0

status 0x0 Transaction mined but execution failed

transaction hash 0x0dbee929ae88796155749b7462f1314de26b369e5291ebbeb6f4921caf6595f0

block hash 0xf9acb4a10f634d66597f2eca61bcebbeaeacecc56dd647a8508c5f7d604e992e

block number 11

from 0x5B38Da6a701c568545dCfcB03FcB875f56beddC4

to TokenDivider.buyOrder(uint256,address) 0xf8e81D47203A594245E36C48e151709F0C19fBe8

gas 3000000 gas

transaction cost 24573 gas

execution cost 2917 gas

input 0x3dd...eddc4

output 0x4e487b710000000000000000000000000000000000000000000000000000000000000032

decoded input {

"uint256 orderIndex": "9000000000000000000000000",

"address seller": "0x5B38Da6a701c568545dCfcB03FcB875f56beddC4"

}

decoded output {}

logs []

raw logs []

transact to TokenDivider.buyOrder errored: Error occurred: revert.

revert

The transaction has been reverted to the initial state.

Tools used:

remix ide

Recommendation:

Add a check to ensure that the orderIndex is within the bounds of the s_userToSellOrders[seller] array before accessing it. Here is an example of how to add this check:

if (orderIndex >= s_userToSellOrders[seller].length) {revert TokenDivider__InvalidOrderIndex();}

Updates

Lead Judging Commences

fishy Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.