Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Array-out-of-bounds vulnerability in runNextAction function

bladesec

Title

Array-out-of-bounds vulnerability in runNextAction function

Summary

A malicious actor can cause the runNextAction function to fail by creating an array-out-of-bounds error.

Vulnerability Details

The runNextAction function assumes that metadata[1] exists during index token swaps.
However, if the metadata array only has one element (length 1), accessing metadata[1] will cause an error.

if (IERC20(indexToken).balanceOf(address(this)) * prices.indexTokenPrice.min >= ONE_USD) {
(, bytes memory data) = abi.decode(metadata[1], (PROTOCOL, bytes));
_doDexSwap(data, false);
}

When the keeper calls runNextAction with metadata of length 1, any malicious user can front-run this transaction by sending a small amount of index tokens to the vault.
This forces the keeper's transaction to hit the array-out-of-bounds error, causing it to revert.

Impact

The malicious actor can disrupt the keeper's ability to perform actions on the vault.

Tools Used

Manual Review

Recommendations

Add a check to ensure metadata.length is valid before accessing specific elements.

if (IERC20(indexToken).balanceOf(address(this)) * prices.indexTokenPrice.min >= ONE_USD) {
if (metadata.length == 2) {
(, bytes memory data) = abi.decode(metadata[1], (PROTOCOL, bytes));
_doDexSwap(data, false);
}
}
Updates

Lead Judging Commences

n0kto Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.