search

sherlock-audit / 2024-06-boost-aa-wallet-judging

3 stars 1 forks source link

Shaggy Cherry Otter - createBoost function does not validate the number of incentives added #490

Closed sherlock-admin2 closed 2 months ago

sherlock-admin2 commented 2 months ago

Shaggy Cherry Otter

Low/Info

createBoost function does not validate the number of incentives added

Summary

Although there is a limit of 8 incentives, the createBoost() function does not enforce this limit. The check is only performed within the SignerValidator's validate.

Vulnerability Detail

The createBoost() function does not validate the number of incentives being added, even though the SignerValidator's validate function enforces a limit of 8. This means that when a user creates a new boost, their funds are transferred, and the boost is created. However, they will be unable to claim incentives with an index higher than 7.

Impact

This issue could cause the entire boost process to stop, requiring the owner to use the clawback() function to retrieve their funds from the incentives contract.

Code Snippet

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/78930f2ed6570f30e356b5529bd4bcbe5194eb8b/boost-protocol/packages/evm/contracts/validators/SignerValidator.sol#L131

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/78930f2ed6570f30e356b5529bd4bcbe5194eb8b/boost-protocol/packages/evm/contracts/validators/SignerValidator.sol#L70

Tool used

Manual Review

Recommendation

Add a check in the createBoost function to ensure the number of incentives does not exceed the limit of 8.