Calls to setHandler do not explicitly check that input array does not contain duplicate Handler contract addresses. The system appears to handle this gracefully in most cases. However, if the default handler is specified multiple times, it may fail loudly. Regardless, it is clear from the implementation in addHandlers that duplicate handlers should not be allowed.
function setHandlers(
address[] memory _handlers,
uint256[] memory _proportions
) private {
require(
_handlers.length == _proportions.length && _handlers.length > 0,
"setHandlers: handlers & proportions should not have 0 or different lengths"
);
// The 1st will act as the default handler.
defaultHandler = _handlers[0];
uint256 _sum = 0;
for (uint256 i = 0; i < _handlers.length; i++) {
require(
_handlers[i] != address(0),
"setHandlers: handlerAddr contract address invalid"
);
_sum = _sum.add(_proportions[i]);
handlers.push(_handlers[i]);
proportions[_handlers[i]] = _proportions[i];
isHandlerActive[_handlers[i]] = true;
}
// The sum of proportions should be 1000000.
require(
_sum == totalProportion,
"the sum of proportions must be 1000000"
);
}
Severity: Low
Description
This is similar to #14.
Calls to
setHandler
do not explicitly check that input array does not contain duplicate Handler contract addresses. The system appears to handle this gracefully in most cases. However, if the default handler is specified multiple times, it may fail loudly. Regardless, it is clear from the implementation inaddHandlers
that duplicate handlers should not be allowed.Recommendation
Add a check for duplicate Handlers to
setHandler
.