search

code-423n4 / 2022-09-canto-findings

0 stars 0 forks source link

BaseV1Pair.sampleSupply() will always return empty array when window argument input is 0 #71

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-core.sol#L271-L289 https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-core.sol#L261

Vulnerability details

Impact

In BaseV1Pair contract, when calling sampleSupply(), a zero value for window argument , it will always return empty fixed sized array.

When window argument is 0, the for loop will be bypassed and sampleSupply() will return _totalSupply which is an empty array of n-points number of empty arrays.

Proof of Concept

https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-core.sol#L271-L289

  1. Call BaseV1Pair.sampleSupply() with inputs: points - 5 window - 0
  2. _totalSupply is now an array of fixed size 5.
  3. assume observations.length is 6.
  4. Then calculation of i will be: i = 5 - 0 = 5
  5. Since 5 is not less than 5, for loop is bypassed
  6. _totalSupply which is still list of empty arrays is returned.
  7. Additionally, this will also affect the result of totalSupplyAvg() and return 0 always

Tools Used

Manual review

Recommended Mitigation Steps

A require check for zero value may be necessary to resolve this.

nivasan1 commented 2 years ago

It is unclear how the function / availability of the protocol is at risk here as a sample with window 0 is a no-op (no observations are being sampled).

0xean commented 2 years ago

downgrading to QA, wardens fails to show the impact of the issue.