search

code-423n4 / 2023-01-drips-findings

0 stars 2 forks source link

RETURNS EMPTY UINT256 `configs` MEMORY ARRAY SINCE THE UPDATED MEMORY ARRAY IS NOT RETURNED #296

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-drips/blob/main/src/Drips.sol#L769-L785 https://github.com/code-423n4/2023-01-drips/blob/main/src/Drips.sol#L792-L807

Vulnerability details

Impact

_buildConfigs() function inside the Drips.sol is required to build a preprocessed list of drips configurations from receivers. Thus in its function implementation it initialized the uint256[] memory configs array and send it as an argument to the _addConfig() private function. _addConfig() is expected to add the valid drips configuration of the receiver to the configs array and return the updated configsLen value.

Proof of Concept

Even though the _addConfig() function updates the configs memory array with the valid drips configuration of the receiver, the updated configs memory array is never returned. Thus the _buildConfigs() function never receives the updated uint256[] memory configs array. Hence the _buildConfigs() function will always return the empty configs array initialized with zero values. 

function _buildConfigs(DripsReceiver[] memory receivers)
    private
    view
    returns (uint256[] memory configs, uint256 configsLen)
{
    unchecked {
        require(receivers.length <= _MAX_DRIPS_RECEIVERS, "Too many drips receivers");
        configs = new uint256[](receivers.length);
        for (uint256 i = 0; i < receivers.length; i++) {
            DripsReceiver memory receiver = receivers[i];
            if (i > 0) {
                require(_isOrdered(receivers[i - 1], receiver), "Receivers not sorted");
            }
            configsLen = _addConfig(configs, configsLen, receiver);
        }
    }
}

https://github.com/code-423n4/2023-01-drips/blob/main/src/Drips.sol#L769-L785

function _addConfig(uint256[] memory configs, uint256 configsLen, DripsReceiver memory receiver)
    private
    view
    returns (uint256 newConfigsLen)
{
    uint256 amtPerSec = receiver.config.amtPerSec();
    require(amtPerSec != 0, "Drips receiver amtPerSec is zero");
    (uint256 start, uint256 end) =
        _dripsRangeInFuture(receiver, _currTimestamp(), type(uint32).max);
    // slither-disable-next-line incorrect-equality,timestamp
    if (start == end) {
        return configsLen;
    }
    configs[configsLen] = (amtPerSec << 64) | (start << 32) | end;
    return configsLen + 1;
}

https://github.com/code-423n4/2023-01-drips/blob/main/src/Drips.sol#L792-L807

Tools Used

Manual and VS Code

Recommended Mitigation Steps

Update the _addConfig() function to return the updated configs array as well. 

    return (configs, configsLen + 1);

And update the _buildConfigs() function to receive the updated configs array from the _addConfig() function and return it to the calling function.

 (configs, configsLen) = _addConfig(configs, configsLen, receiver);
c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Invalid

GalloDaSballo commented 1 year ago

Returns are implicit in the function signatures

GalloDaSballo commented 1 year ago
Screenshot 2023-02-06 at 17 07 41