Missing equality check on lengths of tokens and their weights in multiple places.
Example: Different lengths of inputTokens and inputWeights could cause reverts (inputTokens.length > inputWeights.length) or undefined behavior in case of mismatches (inputTokens.length < inputWeights.length).
Handle
0xRajeev
Vulnerability details
Impact
Missing equality check on lengths of tokens and their weights in multiple places.
Example: Different lengths of inputTokens and inputWeights could cause reverts (inputTokens.length > inputWeights.length) or undefined behavior in case of mismatches (inputTokens.length < inputWeights.length).
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L69-L87
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L69-L87
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L42-L43
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add require(tokens.length == weights.length) in all places where users input tokens and their weights.