Missing check for equal length arrays in TelcoinDistributor: proposeTransaction()
Summary
The proposeTransaction() functions in TelcoinDistributor.sol does not check whether the lengths of the arrays submitted are equal. This can lead to unexpected results.
Vulnerability Detail
In the proposeTransaction() function, the council member submits two arrays (destinations, and amounts)
The expectation is that the council member submitting the function will ensure that the indexes of the arrays correspond to the correct values in the other arrays, thus that the lengths will be the same. Common practice in such a situation is to verify that the lengths are equal to ensure the council member hasn't made an error.
However, in this functions, we simply iterate through the destinations array without performing this check, and then call out safeTransfer() for each destination separately in batchTelcoin()
for (uint i = 0; i < destinations.length; i++) {
TELCOIN.safeTransfer(destinations[i], amounts[i]);
}
Impact
If the destinations array is shorter than the amounts arrays, the additional values in the amounts arrays will be ignored. This could lead to transfers with unexpected results, while destinations array is longer than the amounts arrays, it would make the batchTelcoin() always revert since amounts[i] doesn't exist.
sonny2k
medium
Missing check for equal length arrays in TelcoinDistributor: proposeTransaction()
Summary
The
proposeTransaction()
functions inTelcoinDistributor.sol
does not check whether the lengths of the arrays submitted are equal. This can lead to unexpected results.Vulnerability Detail
In the
proposeTransaction()
function, the council member submits two arrays (destinations
, andamounts
)The expectation is that the council member submitting the function will ensure that the indexes of the arrays correspond to the correct values in the other arrays, thus that the lengths will be the same. Common practice in such a situation is to verify that the lengths are equal to ensure the council member hasn't made an error.
However, in this functions, we simply iterate through the destinations array without performing this check, and then call out
safeTransfer()
for each destination separately inbatchTelcoin()
Impact
If the
destinations
array is shorter than theamounts
arrays, the additional values in theamounts
arrays will be ignored. This could lead to transfers with unexpected results, whiledestinations
array is longer than theamounts
arrays, it would make the batchTelcoin() always revert since amounts[i] doesn't exist.Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/protocol/core/TelcoinDistributor.sol#L87
Tool used
Manual Review
Recommendation
Add a check to the proposeTransaction() function that confirms that destinations, and amounts are all equal in length.
Duplicate of #2