Core Contracts

##Summary:

IN: GaugeController.sol

The contract contains a loop that iterates over _gaugeList.length. If _gaugeList is modified during iteration (e.g., new gauges added), it can lead to unintended behavior.

Using an array whose length can only grow as a loop variable may lead to DOS attacks.

The contract iterates over _gaugeList.length without storing the value in a local variable. If _gaugeList is modified during execution, the loop might run indefinitely or consume excessive gas.

CODE:

Vulnerability Details

If new elements are added while looping through _gaugeList.length, the loop may become unbounded, cause gas overflow, or result in unexpected state changes.

Impact

Unbounded Iteration → Infinite loop risk.

• Gas Overflow → Transaction failure due to excessive computation.

• Incorrect Calculations → Unexpected contract behavior

Tools Used

NONE

##PoC

for (uint256 i = 0; i < _gaugeList.length; i++) {
_gaugeList.push(newGauge); // Modifies _gaugeList inside loop
}

Fix: Cache _gaugeList.length before the loop:

uint256 length = _gaugeList.length;
for (uint256 i = 0; i < length; i++) { ... }

Recommendations

Recommendations

1. Cache List Length
   Store _gaugeList.length in a local variable before the loop to prevent dynamic changes:

   uint256 length = _gaugeList.length;

   for (uint256 i = 0; i < length; i++) {

   // Safe iteration

   }

   ​

2. Restrict Modifications During Iteration

   • Ensure _gaugeList cannot be modified while the loop is executing (e.g., by using reentrancy guards or locking mechanisms).

3. Gas Limit Consideration

   • If _gaugeList can grow significantly, consider batch processing to avoid exceeding gas limits.

4. Use Events for Asynchronous Processing

   • Instead of modifying _gaugeList in a loop, emit an event and process changes in separate transactions.

5. Validate State Before Execution

   • Check that _gaugeList.length remains unchanged at the start and end of the loop to detect modifications.