search

sherlock-audit / 2024-02-rubicon-finance-judging

5 stars 3 forks source link

itsabinashb - GladiusOrderQuoter::No limitation on returned bytes #40

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 9 months ago

itsabinashb

medium

GladiusOrderQuoter::No limitation on returned bytes

Summary

The GladiusOrderQuoter::quote() does not have any limitation on bytes size of returned error results exceeding memory limit and will cause runtime error.

Vulnerability Detail

The quote() catches the error message in bytes form:

        {} catch (bytes memory reason) {

However, this function does not have any check for maximum limit of returned bytes.

Impact

If the returned bytes is too large and if it exceeds the memory limit the transaction will revert and the expected ResolvedOrder memory result will not be returned.

Code Snippet

  1. https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/lens/GladiusOrderQuoter.sol#L30-L39

    Tool used

Manual Review

Recommendation

Put expected maximum limit of returned bytes for reason.

sherlock-admin commented 9 months ago

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Low

0xAadi commented:

Invalid: check is performed in parseRevertReason()

itsabinashb commented 9 months ago

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Low

0xAadi commented:

Invalid: check is performed in parseRevertReason()

The check is 

        if (reason.length < 192) {
            assembly {
                revert(add(32, reason), mload(reason))
            }

The check is if less than 192, if the returned byte is huge which can exceed the memory then there is no check to revert that, because there is no check for maximum length.