The finding concerns the lack of input validation in the _deposit function of the EthereumDepositProcessor contract. Specifically, the function does not validate that the lengths of the targets and stakingIncentives arrays are equal before processing them. This omission could lead to undefined behavior, such as array index out-of-bounds errors, which could potentially crash the contract or lead to unintended operations.
Impact
Contract Failure: If the lengths of targets and stakingIncentives arrays are different, accessing stakingIncentives[i] where i exceeds the length of stakingIncentives could cause the contract to revert due to an array index out-of-bounds error.
Unexpected Behavior: Mismatched array lengths could result in unexpected operations, such as transferring incorrect amounts or failing to deposit incentives to the intended staking contracts.
Before entering the loop, add a require statement to ensure that the targets and stakingIncentives arrays have the same length. This check prevents the function from proceeding if the arrays are not aligned.
require(targets.length == stakingIncentives.length, "Targets and stakingIncentives arrays must have the same length.");
## Assessed type
Other
Lines of code
https://github.com/code-423n4/2024-05-olas/blob/3ce502ec8b475885b90668e617f3983cea3ae29f/tokenomics/contracts/staking/EthereumDepositProcessor.sol#L86-L115
Vulnerability details
Summary
The finding concerns the lack of input validation in the
_depositfunction of theEthereumDepositProcessorcontract. Specifically, the function does not validate that the lengths of thetargetsandstakingIncentivesarrays are equal before processing them. This omission could lead to undefined behavior, such as array index out-of-bounds errors, which could potentially crash the contract or lead to unintended operations.Impact
Contract Failure: If the lengths of
targetsandstakingIncentivesarrays are different, accessingstakingIncentives[i]whereiexceeds the length ofstakingIncentivescould cause the contract to revert due to an array index out-of-bounds error.Unexpected Behavior: Mismatched array lengths could result in unexpected operations, such as transferring incorrect amounts or failing to deposit incentives to the intended staking contracts.
Proof of Concept
https://github.com/code-423n4/2024-05-olas/blob/3ce502ec8b475885b90668e617f3983cea3ae29f/tokenomics/contracts/staking/EthereumDepositProcessor.sol#L86-L115
Tools Used
Manual Code Review
Recommended Mitigation Steps
Before entering the loop, add a
requirestatement to ensure that thetargetsandstakingIncentivesarrays have the same length. This check prevents the function from proceeding if the arrays are not aligned.