Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Incorrect Array Indexing in configureConnectedVaults

satoshisbestfriend

Summary

The configureConnectedVaults function in Market.sol incorrectly accesses an out-of-bounds index in the connectedVaults array, leading to a denial-of-service condition that disrupts market configuration.

The configureConnectedVaults function is designed to add a new set of vault IDs to the market’s list of connected vaults. But it incorrectly uses connectedVaults[connectedVaults.length] as the target index for insertion.

In Solidity, dynamic arrays are zero-indexed, and a valid index is in the range [0, length - 1]. Accessing connectedVaults[connectedVaults.length] is out-of-bounds and will always revert, especially when the array is empty. This prevents the registration of vaults necessary for credit delegation and operational functionality.

Impact

The impact of this vulnerability is high because it directly disrupts core market configuration functionality. The inability to properly add vault IDs to the connected vaults array results in a denial-of-service for market configuration. This can impair market operations, leading to misallocation of credit, failed liquidations, and significant financial consequences for the protocol.

Tools Used

Manual review

Proof of Concept

Assume an administrator attempts to connect vaults to a market by calling a higher-level function that internally calls configureConnectedVaults with an array of vault IDs. With an initially empty connectedVaults array:

1. The administrator passes an array, e.g., [vaultId1, vaultId2].

During execution, the loop iterates and tries to execute:

connectedVaults[connectedVaults.length].add(vaultsIds[i]);

3. If connectedVaults.length is 0 (empty array), the code attempts to access connectedVaults[0]—but since no element exists, it reverts.

4. Even if the array is non-empty, using the index equal to the array’s length is always out-of-bounds.

This out-of-bounds access will cause the transaction to revert, preventing the configuration of connected vault

Recommendations

Modify the function to properly create a new UintSet instance by using the push() method and then use the correct index for adding vault IDs:

function configureConnectedVaults(Data storage self, uint128[] memory vaultsIds) internal {

EnumerableSet.UintSet[] storage connectedVaults = self.connectedVaults;

// New UintSet instance by pushing an empty set into the array.

connectedVaults.push();

uint256 newIndex = connectedVaults.length - 1;

// Add each vault ID to the newly created UintSet instance.

for (uint256 i = 0; i < vaultsIds.length; i++) {

connectedVaults[newIndex].add(vaultsIds[i]);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`Market::configureConnectedVaults` Will Always Fail with Array Out of Bounds Error

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.