A vulnerability exists in the checkUpkeep
function where the index
variable could exceed the size of the preallocated arrays marketIds
and assets
, leading to an out-of-bounds memory access and contract failure.
The vulnerability issue in checkUpKeep()
function on FeeConversionKeeper.sol
file
The arrays marketIds
and assets
are initialized with a fixed size of liveMarketIds.length * 10
.
Inside the nested loop, the index
variable is incremented without bounds checks.
If the combined iterations of the loops exceed the preallocated array size, this results in an out-of-bounds memory access, causing a runtime error.
PoC
The out-of-bounds error can lead to contract execution failure, disrupting operations dependent on checkUpkeep
and potentially causing loss of service.
Manual Review
Use dynamic array resizing:
Validate index
before assignment to prevent exceeding the array's size.
Precompute the maximum size required for arrays if feasible.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.