search

salvorio / salvor-contracts

0 stars 0 forks source link

[SLG-03M] Inexistent Validation of Array Lengths #12

Closed HKskn closed 2 months ago

HKskn commented 7 months ago

SLG-03M: Inexistent Validation of Array Lengths

Type Severity Location
Input Sanitization SalvorLending.sol:L166, L196-L201, L214, L233, L251, L273-L278, L298-L303

Description:

The referenced functions do not ensure that the array lengths are matching, causing potentially undefined behaviour to arise due to out-of-bound array access.

Example:

/**
* @notice Allows the contract owner to cancel multiple loans. This function is only operational when the contract is not paused and is protected against reentrancy. (It's not used anymore)
* @param _loanOffers Array of loan offers to be cancelled.
* @param _signatures Array of signatures corresponding to each loan offer.
*/
function cancelLoans(LibLending.LoanOffer[] calldata _loanOffers, bytes[] calldata _signatures) external onlyOwner whenNotPaused nonReentrant {
    uint256 len = _loanOffers.length;
    for (uint256 i; i < len; ++i) {
        cancelLoan(_loanOffers[i], _signatures[i]);
    }
}

Recommendation:

We advise a require check to be introduced ensuring that all input arguments share the same length in each function.

HKskn commented 7 months ago

The cancelLoan function has been removed and will no longer be used.