Part 2

Summary

The _recalculateConnectedMarketsState function lacks a validation check to ensure the length of the connectedMarketsIdsCache array matches the expected length of the connectedMarkets storage. This could result in out-of-bounds access, leading to unexpected runtime reverts or incomplete recalculation of connected market debts.

Affected Line of Code

https://github.com/Cyfrin/2025-01-zaros-part-2/blob/main/src/market-making/leaves/Vault.sol#L268-L334

https://github.com/Cyfrin/2025-01-zaros-part-2/blob/main/src/market-making/leaves/Vault.sol#L508-L534

Vulnerability Details

• Root Cause:
  The function assumes the caller ensures the correctness of connectedMarketsIdsCache, but there is no internal validation of its length relative to connectedMarkets.length.

• Problematic Scenario:
  If the caller provides an input array longer than connectedMarkets, an attempt to access a non-existent index in the connectedMarkets storage will cause the function to revert.

Impact

• Runtime Reverts: An out-of-bounds access could stop execution and prevent the recalculation of connected market debts.

• Incomplete Operations: If the input array is shorter, certain markets may not have their debts recalculated, resulting in inconsistent state updates.

• DoS Risk: Repeated invocation with invalid inputs could potentially disrupt operations that depend on this function.

Tools Used

• Manual Code Review

Recommendations

Add a validation check to ensure the length of connectedMarketsIdsCache does not exceed the length of connectedMarkets at the start of the function.

Suggested Fix:

This validation will ensure that only correctly sized inputs are processed, preventing out-of-bounds errors and guaranteeing consistent recalculations.