In the ArrayLib::allUnique() the first for loop iterates from 1 but its limit is set less than the array Length which makes it not reach all the elements in the array provided, this can cause the return bool to be incorrect.
Proof of Concept
In the ArrayLib::allUnique() we have this
...
> for (uint256 i = 1; i < arrLen; ++i) {
for (uint256 j = 0; j < i; ++j) {
...
Lets assume the array given to this function has a length of 15
the first for function will start from 1 and end at 14 because of the condition i < arrLen, making the number of items looped over 14 instead of 15
Tools Used
manual review
Recommended Mitigation Steps
function allUnique(IERC20[] memory arr) internal pure returns (bool) {
uint256 arrLen = arr.length;
- for (uint256 i = 1; i < arrLen; ++i) {
+ for (uint256 i = 0; i < arrLen; ++i) {
for (uint256 j = 0; j < i; ++j) {
if (arr[i] == arr[j]) return false;
}
}
return true;
}
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/libraries/Array.sol#L9-L17
Vulnerability details
Impact
In the
ArrayLib::allUnique()
the first for loop iterates from 1 but its limit is set less than the array Length which makes it not reach all the elements in the array provided, this can cause the return bool to be incorrect.Proof of Concept
In the
ArrayLib::allUnique()
we have thisLets assume the array given to this function has a length of 15 the first for function will start from 1 and end at 14 because of the condition i < arrLen, making the number of items looped over 14 instead of 15
Tools Used
manual review
Recommended Mitigation Steps
Assessed type
Loop