MissingGroupSize detector is used to report execution paths that do not check the group size.
However, Current recommendation is to use ARC-4 ABI and relative indices to verify the group transaction.
This PR updates the MissingGroupSize detector to consider the usage of absolute indexes. MissingGroupSize now only reports execution paths that use the absolute index to access group-transaction without checking the group size.
MissingGroupSize detector is used to report execution paths that do not check the group size. However, Current recommendation is to use ARC-4 ABI and relative indices to verify the group transaction.
This PR updates the MissingGroupSize detector to consider the usage of absolute indexes. MissingGroupSize now only reports execution paths that use the absolute index to access group-transaction without checking the group size.
Exploit Scenario
Attacker sends following group transaction:
Attacker receives 15 million wrapped-algos instead of 1 million wrapped-algos. Attacker exchanges the\ wrapped-algo to Algo and steals 14 million Algos. More at building-secure-contracts/not-so-smart-contracts/algorand/group_size_check
Recommendation
Use ARC-4 ABI and relative indexes to verify the group transaction.