The UniswapStyleLib.getAmountsOut, PriceAware.setLiquidationPath (and others) don't check that path.length + 1 == tokens.length which should always hold true.
Also, it does not check that the tokens actually match the pair.
Impact
It's easy to set faulty liquidation paths which then end up reverting the liquidation transactions.
Email address
mail@cmichel.io
Handle
@cmichelio
Eth address
0x6823636c2462cfdcD8d33fE53fBCD0EdbE2752ad
Vulnerability details
The
UniswapStyleLib.getAmountsOut
,PriceAware.setLiquidationPath
(and others) don't check thatpath.length + 1 == tokens.length
which should always hold true. Also, it does not check that the tokens actually match the pair.Impact
It's easy to set faulty liquidation paths which then end up reverting the liquidation transactions.
Recommended mitigation steps
Add the missing checks.