search

code-423n4 / 2021-10-tally-findings

0 stars 0 forks source link

`sweepFees()` `tokens.length` Can Overflow #80

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

leastwood

Vulnerability details

Impact

If the list of tokens provided to the sweepFees() function exceeds the maximum uint8 size, the function will revert due to an out of bounds error. as the i variable overflows There is no revert message that indicates to the user what may have caused the transaction to fail.

Proof of Concept

https://github.com/code-423n4/2021-10-tally/blob/main/contracts/swap/Swap.sol#L243-L259

Tools Used

Manual code review

Recommended Mitigation Steps

Consider checking the length of tokens fits within the maximum size for a uint8 or updating the uint8 in sweepFees() to type uint256.

Shadowfiend commented 2 years ago

In Solidity 0.8.0, arithmetic operators are automatically checked for overflow (see https://docs.soliditylang.org/en/v0.8.3/080-breaking-changes.html), including for uint8. Exceeding uint8 capacity should therefore revert.

0xean commented 2 years ago

closing as invalid based on solidity version used.