search

re-al-Foundation / rwa-contracts

0 stars 0 forks source link

[RDR-01M] Incorrect Validation of Array Lengths #57

Closed chasebrownn closed 6 months ago

chasebrownn commented 6 months ago

RDR-01M: Incorrect Validation of Array Lengths

Type Severity Location
Input Sanitization RevenueDistributor.sol:L189

Description:

The referenced require check within the RevenueDistributor::convertRewardTokenBatch function is meant to ensure that the input arrays are of identical length, however, it fails to do so.

Specifically, if the len is different from the _amounts.length and the _targets.length is different from the _data.length, the check will consider the lengths "valid" as false == false.

Impact:

The code permits potential compilation bugs to be exploited due to out-of-bound array access.

Example:

function convertRewardTokenBatch(
    address[] memory _tokens,
    uint256[] memory _amounts,
    address[] memory _targets,
    bytes[] calldata _data
) external isDistributor returns (uint256[] memory _amountsOut) {
    uint256 len = _tokens.length;
    require(
        (len == _amounts.length) == (_targets.length == _data.length),
        "Invalid length"
    );

Recommendation:

We advise the code to validate the lengths in a sequential manner, ensuring all arrays are of equal length.

chasebrownn commented 6 months ago

Resolved