This function handles the completion of an RNG relay auction. The problem is this block of code:
for (uint8 i = 0; i < _rewards.length; i++) {
uint104 _reward = uint104(_rewards[i]);
if (_reward > 0) {
prizePool.withdrawReserve(auctionResults[i].recipient, _reward);
emit AuctionRewardDistributed(_sequenceId, auctionResults[i].recipient, i, _reward);
}
}
The variable i is declared as a uint8, which means it can only hold values from 0 to 255. If _rewards.length were to be more than 255, the function will revert.
Proof of Concept
The issue lies in the use of uint8 as the loop iterator, which can only represent values between 0 to 255. If the length of the _rewards array exceeds 255, the loop will revert.
for (uint8 i = 0; i < _rewards.length; i++) {
uint104 _reward = uint104(_rewards[i]);
if (_reward > 0) {
prizePool.withdrawReserve(auctionResults[i].recipient, _reward);
emit AuctionRewardDistributed(_sequenceId, auctionResults[i].recipient, i, _reward);
}
}
But _rewards.length can be bigger than uint8. And if so the function will revert.
Tools Used
Visual Studio Code
Recommended Mitigation Steps
I recommend changing the data type of the iterator from uint8 to uint256, as these data types can handle a much larger range of values. By making this change, the functions would be able to process any number of rewards.
Lines of code
https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L157-L173
Vulnerability details
Impact
In
RngRelayAuction.sol
we haverngComplete()
:This function handles the completion of an RNG relay auction. The problem is this block of code:
The variable
i
is declared as auint8
, which means it can only hold values from 0 to 255. If_rewards.length
were to be more than 255, the function will revert.Proof of Concept
The issue lies in the use of
uint8
as the loop iterator, which can only represent values between 0 to 255. If the length of the_rewards
array exceeds 255, the loop will revert.In
rngComplete()
we see the_rewards
is uint256:After this in the for loop
i
isuint8
:But
_rewards.length
can be bigger thanuint8
. And if so the function will revert.Tools Used
Visual Studio Code
Recommended Mitigation Steps
I recommend changing the data type of the iterator from
uint8
touint256
, as these data types can handle a much larger range of values. By making this change, the functions would be able to process any number of rewards.Assessed type
Loop