Closed sherlock-admin closed 7 months ago
2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
I think the function works as it should and and the loop should be skipped the first time
0xAadi commented:
Invalid: wrong statement, feeCount is updating in the loop
trauki
medium
Medium - Flawed logic inside
getFeeOutputs()
functionSummary
getFeeOutputs()
applies fees to the output token and returns it, but the logic inside this function is flawed.Vulnerability Detail
First, this loop is supposed to update the fee amount if it is the correct output token, except under the current logic, this loop can never be reached. This is because
feeCount
is initialized with the defaultuint256
value of 0, never updated, and then used inside the for loop conditional that says "run while 0 is less than 0", which obviously can never be true.Even if we updated the for loop's conditional to say "run while 0 is less than or equal to 0" (
j <= feeCount;
), the next issue lies directly inside of the loop:We initialize
result
as the emptyOutputToken
array with a length of 1, then we setfeeOutput
as anOutputToken
object, usingresult
, and finally, we try to compare a value between an empty object with uninitialized values, to an actual value that was passed as input to the function. This means it is essentially the same as this when using an actual ERC20 output:Unless using native currency like ETH as address(0), this
if
statement will never be true meaning thebool found
will always be false, andfeeOutput.amount
will never be incremented byfeeAmount
. However, even if the previous logic was correct so that thisif
statement could be reached, the only thing returned from the function would be the emptyresult
object since it is never actually updated.There is one additional bug I found in this function: if the
feeAmount
is returned as 0, meaning there is no fee on the pair, then the result is returned as an emptyOutputToken[](1)
with default values for everything, which will once again cause any future logic relying on these variables to fail or break in unexpected ways.Impact
Code inside of
getFeeOutputs()
can never be reached or could return a struct with uninitialized values.Code Snippet
This is the entire function that I broke apart and explained above, you can view the entire file here.
Tool used
Manual Review
Recommendation
for
loop to use a conditional that saysj <= feeCount
as opposed to<
.if
statements are initialized.else
conditionals or at least ensure that theresult
object that is returned never contains empty/default values.