Platform: Code4rena
Start Date: 31/01/2023
Pot Size: $90,500 USDC
Total HM: 47
Participants: 169
Period: 7 days
Judge: LSDan
Total Solo HM: 9
Id: 211
League: ETH
Rank: 156/169
Findings: 1
Award: $35.48
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x3b, 0xAgro, 0xBeirao, 0xMirce, 0xNineDec, 0xRobocop, 0xSmartContract, 0xTraub, 0xWeiss, 2997ms, 41i3xn, Awesome, Aymen0909, Bauer, Bnke0x0, Breeje, Cryptor, DadeKuma, Deathstore, Deekshith99, DevABDee, DevTimSch, Dewaxindo, Diana, Ermaniwe, Guild_3, H0, IceBear, Inspectah, JDeryl, Kaiziron, Kaysoft, Kenshin, Mukund, Praise, RaymondFam, Rickard, Rolezn, Ruhum, Sathish9098, SkyWalkerMan, SleepingBugs, UdarTeam, Udsen, Walter, aashar, adeolu, apvlki, arialblack14, ast3ros, btk, chaduke, chandkommanaboyina, chrisdior4, climber2002, codetilda, cryptonue, cryptostellar5, csanuragjain, ddimitrov22, descharre, dharma09, doublesharp, eccentricexit, ethernomad, fs0c, georgits, halden, hansfriese, hashminer0725, immeas, lukris02, luxartvinsec, matrix_0wl, merlin, mookimgo, mrpathfindr, nadin, olegthegoat, pavankv, rbserver, rebase, savi0ur, sayan, scokaf, seeu, shark, simon135, tnevler, tsvetanovv, ulqiorra, ustas, waldenyan20, y1cunhui, yongskiws, yosuke
35.4779 USDC - $35.48
Missing input validation
Impact: the function bellow "setPermissions()" does not have proper input validation checks as a result the caller of this function is able to pass an array with different lengths for the "targets" and "newPermissions" parameters, a mismatch could lead to an exception or undefined behavior
Proof of Concept:
https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/PermissionRegistry.sol#L38-L48
when calling the 'setPermissions' function with an array of target addresses and an array of permissions that are not of equal length it reverts with a 'Mismatch' error indicating that the input validation check has failed
modifying the 'targets' array to be longer than the length of the 'newPermissions' array then Calling the 'setPermissions' function again it continues executing instead of reverting with a 'Mismatch' error indicating that the input validation check has been bypassed.
tools used: Visual Studio Code, Remix
Recommended Mitigation: Add input validation to check that the arrays lengths match :
require(targets.length == newPermissions.length, "Mismatch");
this will ensure that the "setPermissions()" function is only executed when the arrays are of equal lengths and will prevent any potential exploitation
#0 - c4-judge
2023-02-28T14:54:18Z
dmvt marked the issue as grade-b