Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 162/185
Findings: 1
Award: $2.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L183
These input validation enhancements in the transferAssetToNodeDelegator function are designed to safeguard against potential errors and misuse. By ensuring that inputs are within expected bounds and meaningful (non-zero), the contract becomes more robust, secure, and user-friendly.
In the transferAssetToNodeDelegator function of the LRTDepositPool contract, the suggested enhancements involve adding input validation checks. These are intended to ensure the function handles only valid and expected data, enhancing its security and reliability. Suggested Changes: Validation for ndcIndex: Added a check to ensure the ndcIndex (Node Delegator Contract Index) is within the bounds of the nodeDelegatorQueue array.
require(ndcIndex < nodeDelegatorQueue.length, "InvalidIndex: NDC index out of bounds");
Validation for amount: Added a check to ensure the amount being transferred is greater than 0.
require(amount > 0, "InvalidAmount: Transfer amount must be greater than 0");
here is the modified function:
function transferAssetToNodeDelegator(uint256 ndcIndex, address asset, uint256 amount) external { require(ndcIndex < nodeDelegatorQueue.length, "InvalidIndex: NDC index out of bounds"); require(amount > 0, "InvalidAmount: Transfer amount must be greater than 0");
// Existing code...
}
VS code
Rationale Behind the Changes: Index Bounds Check: Ensuring that the ndcIndex is within the bounds of the nodeDelegatorQueue array prevents out-of-bounds access, which is a common source of errors in programming. Accessing an array with an invalid index could lead to unexpected behavior or even cause the contract to revert unexpectedly. This check adds a layer of protection against both inadvertent mistakes and potential malicious attempts to disrupt the contract's functionality. Non-Zero Amount Check: The check for a non-zero transfer amount is crucial to prevent wasteful transactions that don't actually transfer any assets. Transferring zero assets could still consume gas and clutter the blockchain with meaningless transactions. It also helps in maintaining logical consistency within the contract, ensuring that every call to this function has a tangible effect.
Access Control
#0 - c4-pre-sort
2023-11-16T05:13:42Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2023-11-16T05:13:52Z
raymondfam marked the issue as duplicate of #69
#2 - c4-judge
2023-11-29T20:58:12Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-11-29T21:02:13Z
fatherGoose1 marked the issue as grade-b