Liquidity Management

Summary

Both the run and runNextAction functions fail to validate the metadata input, leading to potential out-of-bounds errors when an empty array is provided.

Severity: High
Impact: High
Likelihood: Medium

Affected Line Of Code

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/main/contracts/PerpetualVault.sol#L311

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/main/contracts/PerpetualVault.sol#L368

(Occurs in both run and runNextAction functions)

Finding Description

Both the run and runNextAction functions access the first element of the metadata array without checking whether it is empty. If an empty array is passed to either of these functions, the code attempts to access metadata[0], leading to an out-of-bounds exception.

This vulnerability breaks the input validation guarantee and can cause unexpected behavior, resulting in contract failure. Malformed data passed to either of these functions could disrupt the entire operation, especially if off-chain scripts are responsible for calling these functions.

Impact Explanation

This issue impacts both functions, causing contract failure when an empty metadata array is passed as input. Given that these functions may be invoked automatically via off-chain scripts or user interactions, an attacker or user could inadvertently trigger the bug by providing an empty array.

The failure of either function will prevent subsequent operations, making it particularly harmful in a live production environment where automatic or script-based interactions with the contract are common.

Likelihood Explanation

The likelihood of exploitation is medium to high, depending on how the contract is used. External parties, including off-chain scripts or users, may send an empty array or malformed data to these functions. Given the lack of input validation in both run and runNextAction, this vulnerability can be triggered by any such interaction, increasing the chances of it being exploited.

Proof of Concept

A PoC is not required for this vulnerability because it is a straightforward input validation issue that can be triggered without requiring complex or custom data manipulation. The contract's failure to validate the length of the metadata array is a common vulnerability that can be reproduced simply by calling the affected functions with an empty array, which is enough to demonstrate the issue

1. Both functions will attempt to decode metadata[0] when the array is empty, throwing an out-of-bounds exception and causing the contract to fail.

Recommendation

To resolve this issue, both functions should validate the metadata array before attempting to decode its elements. The following check should be added to both run and runNextAction functions:

Suggested Code Fix:

This check ensures that an empty metadata array will trigger a revert, preventing the contract from accessing non-existent elements and avoiding a failure.