A malicious actor can manipulate the AuctionResult[] passed to RewardLib.rewards() to make it return a short _rewards array
Proof of Concept
The issue is that there is no check that i stays within the bounds of _rewards. If _rewards is shorter than expected, this loop could try to access elements past the end of the array, causing an out of bounds error
Lines of code
https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L167-L169
Vulnerability details
Impact
A malicious actor can manipulate the AuctionResult[] passed to RewardLib.rewards() to make it return a short _rewards array
Proof of Concept
The issue is that there is no check that i stays within the bounds of _rewards. If _rewards is shorter than expected, this loop could try to access elements past the end of the array, causing an out of bounds error
Tools Used
Manual
Recommended Mitigation Steps
bounds checking should be added
Assessed type
Other