search

code-423n4 / 2024-02-ai-arena-findings

4 stars 3 forks source link

Index Out of Bounds in getFighterPoints Function #159

Open c4-bot-6 opened 7 months ago

c4-bot-6 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/MergingPool.sol#L205

Vulnerability details

Impact

The getFighterPoints function is designed to retrieve an array of points for fighters up to a specified maximum token ID via maxId. However, due to a critical oversight, the array points is initialized with a fixed length of 1, regardless of the maxId provided.

This mismatch between the array's size and the intended number of elements to store results in an inevitable index out of bounds error when maxId exceeds 1. This flaw not only prevents the function from executing as intended but also poses a risk of transaction failures for calls to this function, leading to potential disruption in user experience and unnecessary consumption of gas for failed transactions.

Proof of Concept

    /// @audit - Potential Enumeration Issue in getFighterPoints
    /// @notice Retrieves the points for multiple fighters up to the specified maximum token ID.
    /// @param maxId The maximum token ID up to which the points will be retrieved.
    /// @return An array of points corresponding to the fighters' token IDs.
    function getFighterPoints(uint256 maxId) public view returns(uint256[] memory) {
        uint256[] memory points = new uint256[](1);
        for (uint256 i = 0; i < maxId; i++) {
            points[i] = fighterPoints[i];
        }
        return points;
    }

Consider a scenario where the contract has registered points for 100 fighters (token IDs 0 through 99). A call to getFighterPoints with maxId = 100 aims to retrieve points for all 100 fighters.

However, due to the array being initialized to a length of 1, attempting to access points[1] for the second fighter, with token ID 1, and beyond results in an index out of bounds error, causing the transaction to revert.

Tools Used

Manual Review

Recommended Mitigation Steps

Modify the initialization of the points array to match the intended number of elements based on maxId, ensuring the array is correctly sized to hold points for all fighters up to maxId.

  function getFighterPoints(uint256 maxId) public view returns(uint256[] memory) {
-    uint256[] memory points = new uint256[](1);
+    uint256[] memory points = new uint256[](maxId);
    for (uint256 i = 0; i < maxId; i++) {
        points[i] = fighterPoints[i];
    }
    return points;
}

Assessed type

Error

c4-pre-sort commented 7 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 7 months ago

raymondfam marked the issue as duplicate of #48

c4-judge commented 6 months ago

HickupHH3 changed the severity to QA (Quality Assurance)