There are no checks that _amounts.length < 255 = type(uint8).max. This
means that the following (hypothetical) situation is possible:
User wants to deposit the same token A256 number of times.
User calls depositMultiple with _tokens = [address(A), address(A), ..., Address(A)] and _amounts = [// some numbers].
After i = 255, since i is of type uint8 and type(uint8).max = 255, i++ overflows to 0.
This will not only call deposit on the wrong index, but also leads to an
infinite loop. Note that this problem exists regardless of the MAX token
cap of 255. Because, technically one can deposit the same token more
than 255 times (although it may not be logical to do so).
Handle
hrkrshnn
Vulnerability details
Overflow in
depositMultiple
can lead to infinite loop and incorrect depositSee depositMultiple function.
There are no checks that
_amounts.length < 255 = type(uint8).max
. This means that the following (hypothetical) situation is possible:A
256
number of times.depositMultiple
with_tokens = [address(A), address(A), ..., Address(A)]
and_amounts = [// some numbers]
.i = 255
, sincei
is of typeuint8
andtype(uint8).max = 255
,i++
overflows to0
.This will not only call deposit on the wrong index, but also leads to an infinite loop. Note that this problem exists regardless of the MAX token cap of
255
. Because, technically one can deposit the same token more than255
times (although it may not be logical to do so).Recommended Mitigation Steps
require(_tokens.length < 255)
checkuint8 i
touint i
.