Array out-of-bounds errors in Factory
#30
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Warden finding
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
1 (Low Risk)
frank-beard
added
the
sponsor confirmed
|
Agree with the finding, the index can overflow |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
pants
Vulnerability details
The functions
Factory.proposal(),Factory.getProposalWeights()andFactory.createBasket()accept an argument calledproposalId,idoridNumber, respectively, and use it as an index to determine which element in the_proposalsarray should be loaded and treated. However, these functions don't check that the index they receive as an argument actually fits the bounds of the_proposalsarray.Impact
If the index exceed the array length, there will be a revert with no informative error message. The user wouldn't know what caused the revert.
Tool Used
Manual code review.
Recommended Mitigation Steps
Add an appropriate require statement to each of these functions to validate that the given argument fits the
_proposalsarray bounds.The text was updated successfully, but these errors were encountered: