Index Out-of-Bounds in exchangeRewardsForCompoundingWithIncentive

[c4-bot-9]

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmController.sol#L62-L73

Vulnerability details

Vulnerability details

there is a vulnerability arise in the function exchangeRewardsForCompoundingWithIncentive contains from the lack of bounds checking this is after obtaining an index with _findIndex, the function aims to exchange reward tokens for compounding, but fails to ensure that the provided reward token (_rewardToken) exists within the childInfo.rewardTokens array. Consequently, if an invalid _rewardToken is passed one not present in the array, the function might attempt to access an out-of-bounds index in childInfo.reservedForCompound, and this leading to undefined behavior or a revert. This vulnerability exposes the contract to potential manipulation, causing unintended reverts or even enabling attackers to exploit logic based on the faulty assumption of valid index retrieval here is the vulnerable part :

 CompoundStruct memory childInfo = pendleChildCompoundInfo[
            _pendleMarket
        ];

        uint256 index = _findIndex(
            childInfo.rewardTokens,
            _rewardToken
        );

        if (childInfo.reservedForCompound[index] < _rewardAmount) {
            revert NotEnoughCompound();
        }

Impact

an attacker can exploit this vulnerability and could allow him to disrupt the normal operation of the contract by causing transactions to revert unexpectedly. and in a worst-case scenario, if the contract state is manipulated just right before such a call, it could potentially lead to logic errors elsewhere in the contract.

Proof of Concept

i fuzz with a scenario and as result i get this :

Attempting to exchange 500 of tokenA in market1
Transferred 500 of tokenA to pendleChild1 for compounding

Attempting to exchange 1500 of tokenA in market1
Not enough compound

Attempting to exchange 2500 of tokenA in market1
Not enough compound

Attempting to exchange 500 of tokenB in market1
Transferred 500 of tokenB to pendleChild1 for compounding

Attempting to exchange 1500 of tokenB in market1
Transferred 1500 of tokenB to pendleChild1 for compounding

Attempting to exchange 2500 of tokenB in market1
Not enough compound

Attempting to exchange 500 of tokenC in market1
Index out of bounds for tokenC in market1

Attempting to exchange 1500 of tokenC in market1
Index out of bounds for tokenC in market1

Attempting to exchange 2500 of tokenC in market1
Index out of bounds for tokenC in market1

• For tokenA and tokenB, are present in the market1's reward token list, the function behaves as expected when there are enough reserves for compounding. and it correctly identifies when there is "Not enough compound" for the requested amount, demonstrating proper handling of existing tokens within bounds.
• For tokenC, which does not exist in market1's reward token list, the function prints "Index out of bounds for tokenC in market1". and this is the result of the _findIndex method returning an index equal to the length of the reward tokens list, which is out of bounds. in this scenario highlights the bug where an unknown or unexpected reward token could lead to out-of-bounds access, given that there is no check for the index returned by _findIndex.

  Tools Used

  manual review

  Recommended Mitigation Steps

  need a check after obtaining the index from _findIndex and before using it to access elements in the childInfo.reservedForCompound array, is to compare the index against the length of the rewardTokens array and revert if the index is equal to or greater than the length, indicating that the token was not found.

Assessed type

Other

[c4-pre-sort]

GalloDaSballo marked the issue as insufficient quality report

[GalloDaSballo]

Looks invalid / hypothetical

[c4-judge]

trust1995 marked the issue as unsatisfactory: Invalid