Submission Details
Severity:
Lack Out-of-Bounds Array Check
## Summary
Lack of validation for the length of the `assets` array if it is zero or one in
`FeeDistributionBranch::_performMultiDexSwap`.
## Vulnerability Details
During the conversion of accumulated fees to weth, `FeeDistributionBranch::convertAccumulatedFeesToWeth` makes a called to
`FeeDistributionBranch::_performMultiDexSwap` with the arguments `swapPath` and `ctx.assetAmount`.
```javascript
} else {
// load the weth collateral data storage pointer
Collateral.Data storage wethCollateral = Collateral.load(ctx.weth);
// load custom swap path for asset if enabled
AssetSwapPath.Data storage swapPath = AssetSwapPath.load(asset);
// verify if the swap should be input multi-dex/custom swap path, single or multihop
if (swapPath.enabled) {
@> ctx.tokensSwapped = _performMultiDexSwap(swapPath, ctx.assetAmount);
} else if (path.length == 0) {
```
However, this is no check if the array of `assets` in `swapPath` is not empty or greater than one(1).
## Impact
Unexpected behaviour or failure if the array length is zero or one because the logic of
`FeeDistributionBranch::_performMultiDexSwap` uses `assets[i + 1]`
## Recommendations
Enforce a check to see if the length of the array is greater than one(1).
```diff
+ error InvalidLength();
.
.
.
function _performMultiDexSwap(
AssetSwapPath.Data memory swapPath,
uint256 assetAmount
)
internal
returns (uint256)
{
// load assets array
address[] memory assets = swapPath.assets;
+ if(assets.lenth <= 1) {
+ revert InvalidLength();
+ }
```
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821 USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.