search

code-423n4 / 2021-09-defiprotocol-findings

1 stars 0 forks source link

Validation of weights doesn't check that the sum of the weights add up to 100% #102

Closed code423n4 closed 2 years ago

code423n4 commented 3 years ago

Handle

itsmeSTYJ

Vulnerability details

Impact

Validation of weights is incomplete as it does not include a check to ensure that all the weights sum to 100%.

Recommended Mitigation Steps

function validateWeights(address[] memory _tokens, uint256[] memory _weights) public override pure {
    require(_tokens.length == _weights.length);
    uint256 length = _tokens.length;
        uint256 totalWeights = 0; // declare new total weights variable
    address[] memory tokenList = new address[](length);

    // check uniqueness of tokens and not token(0)

    for (uint i = 0; i < length; i++) {
        require(_tokens[i] != address(0));
        require(_weights[i] > 0);

        for (uint256 x = 0; x < tokenList.length; x++) {
            require(_tokens[i] != tokenList[x]);
        }

        tokenList[i] = _tokens[i];
                totalWeights = totalWeights + _weights[i]; // sum the weights here
    }
        require(totalWeights == BASE, "validateWeights: Total weights exceeded 100%); // check that total weight matches BASE.
}
frank-beard commented 3 years ago

weights are not meant to add up to 100

GalloDaSballo commented 2 years ago

Appreciate the wardens submission and hope this can help with renaming some of the variables

That said, the weights are not supposed to sum up to 100, as such finding is invalid