search

sherlock-audit / 2024-05-beefy-cowcentrated-liquidity-manager-judging

5 stars 5 forks source link

bareli - No check on array length on routeToPath #117

Closed sherlock-admin3 closed 2 months ago

sherlock-admin3 commented 2 months ago

bareli

medium

No check on array length on routeToPath

Summary

no check on array length on routeToPath.There should be a array check such that route length should be grater than fee length by 1.

Vulnerability Detail

function routeToPath( address[] memory _route, uint24[] memory _fee ) internal pure returns (bytes memory path) { path = abi.encodePacked(_route[0]); uint256 feeLength = _fee.length; for (uint256 i = 0; i < feeLength; i++) { @>> path = abi.encodePacked(path, _fee[i], _route[i+1]); } }

Impact

wrong calculation of the routeToPath

Code Snippet

https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/utils/VeloSwapUtils.sol#L94

Tool used

Manual Review

Recommendation

require(_route.length== _fee.length+1);
sherlock-admin2 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

z3s commented:

Invalid; input validation