The getFighterPoints function is designed to retrieve an array of points for fighters up to a specified maximum token ID via maxId. However, due to a critical oversight, the array points is initialized with a fixed length of 1, regardless of the maxId provided.
This mismatch between the array's size and the intended number of elements to store results in an inevitable index out of bounds error when maxId exceeds 1. This flaw not only prevents the function from executing as intended but also poses a risk of transaction failures for calls to this function, leading to potential disruption in user experience and unnecessary consumption of gas for failed transactions.
Proof of Concept
/// @audit - Potential Enumeration Issue in getFighterPoints
/// @notice Retrieves the points for multiple fighters up to the specified maximum token ID.
/// @param maxId The maximum token ID up to which the points will be retrieved.
/// @return An array of points corresponding to the fighters' token IDs.
function getFighterPoints(uint256 maxId) public view returns(uint256[] memory) {
uint256[] memory points = new uint256[](1);
for (uint256 i = 0; i < maxId; i++) {
points[i] = fighterPoints[i];
}
return points;
}
Consider a scenario where the contract has registered points for 100 fighters (token IDs 0 through 99). A call to getFighterPoints with maxId = 100 aims to retrieve points for all 100 fighters.
However, due to the array being initialized to a length of 1, attempting to access points[1] for the second fighter, with token ID 1, and beyond results in an index out of bounds error, causing the transaction to revert.
Tools Used
Manual Review
Recommended Mitigation Steps
Modify the initialization of the points array to match the intended number of elements based on maxId, ensuring the array is correctly sized to hold points for all fighters up to maxId.
function getFighterPoints(uint256 maxId) public view returns(uint256[] memory) {
- uint256[] memory points = new uint256[](1);
+ uint256[] memory points = new uint256[](maxId);
for (uint256 i = 0; i < maxId; i++) {
points[i] = fighterPoints[i];
}
return points;
}
Lines of code
https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/MergingPool.sol#L205
Vulnerability details
Impact
The
getFighterPoints
function is designed to retrieve an array of points for fighters up to a specified maximum token ID viamaxId
. However, due to a critical oversight, the array points is initialized with afixed length of 1
, regardless of themaxId
provided.This mismatch between the array's size and the intended number of elements to store results in an inevitable index out of bounds error when maxId exceeds 1. This flaw not only prevents the function from executing as intended but also poses a risk of transaction failures for calls to this function, leading to potential disruption in user experience and unnecessary consumption of gas for failed transactions.
Proof of Concept
Consider a scenario where the contract has registered points for 100 fighters (token IDs 0 through 99). A call to
getFighterPoints
withmaxId = 100
aims to retrieve points for all 100 fighters.However, due to the array being initialized to a
length of 1
, attempting to accesspoints[1]
for the second fighter, with token ID 1, and beyond results in an index out of bounds error, causing the transaction to revert.Tools Used
Manual Review
Recommended Mitigation Steps
Modify the initialization of the points array to match the intended number of elements based on
maxId
, ensuring the array is correctly sized to hold points for all fighters up tomaxId
.Assessed type
Error