The createBoost function uses an outdated method for adding elements to a storage array and obtaining a reference to the new element.
Vulnerability Detail
The line BoostLib.Boost storage boost = _boosts.push(); attempts to add a new element to the _boosts array and obtain a reference to it. However, the .push() from Solidity 0.6.0 onward, no longer returns a reference. It only appends the new element to the array but does not return a reference to the newly added element.
In this case, boost variable ends up being a null or invalid reference. This is because push() does not return anything anymore.
Impact
Due to the use of push() in the createBoost function of BoostCore contract (using solidity ^0.8.24) , the boost variable will not reference a newly created element as intended.
_boosts.push(); // Pushes a new empty BoostLib.Boost struct to the array
BoostLib.Boost storage boost = _boosts[_boosts.length - 1]; // Retrieves reference to the new struct
Smacaud
Medium
push() doesn't return a reference
Summary
The createBoost function uses an outdated method for adding elements to a storage array and obtaining a reference to the new element.
Vulnerability Detail
The line
BoostLib.Boost storage boost = _boosts.push();attempts to add a new element to the _boosts array and obtain a reference to it. However, the.push()from Solidity 0.6.0 onward, no longer returns a reference. It only appends the new element to the array but does not return a reference to the newly added element.In this case, boost variable ends up being a null or invalid reference. This is because push() does not return anything anymore.
Impact
Due to the use of
push()in the createBoost function of BoostCore contract (using solidity ^0.8.24) , the boost variable will not reference a newly created element as intended.Code Snippet
https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L118
Tool used
Manual Review
Recommendation
Update the code this way;
_boosts.push(); // Pushes a new empty BoostLib.Boost struct to the array BoostLib.Boost storage boost = _boosts[_boosts.length - 1]; // Retrieves reference to the new struct