Canto Dex Oracle contest - Sm4rty's results

Lines of code

https://github.com/code-423n4/2022-09-canto/tree/main/src/Swap/BaseV1-core.sol#L96 https://github.com/code-423n4/2022-09-canto/tree/main/src/Swap/BaseV1-core.sol#L149 https://github.com/code-423n4/2022-09-canto/tree/main/src/Swap/BaseV1-core.sol#L608

Vulnerability details

As this array can grow quite large, the transaction’s gas cost could exceed the block gas limit and make it impossible to call this function at all (see @audit):

Instances:

Observation array: BaseV1-core.sol:L96 BaseV1-core.sol:L149 BaseV1-core.sol:L242 BaseV1-core.sol:L248 BaseV1-core.sol:L249

src/Swap/BaseV1-core.sol:96:        observations.push(Observation(block.timestamp, 0, 0,0)); //@audit low: a push exist but there's no pop in the solution.
src/Swap/BaseV1-core.sol:149:       observations.push(Observation(blockTimestamp, reserve0CumulativeLast, reserve1CumulativeLast, totalSupplyCumulativeLast)); //@audit low: a push exist but there's no pop in the solution.


src/Swap/BaseV1-core.sol:242:        uint lastIndex = observations.length-1;
..
src/Swap/BaseV1-core.sol:248:         for(; i < lastIndex; i+=window) { //@audit low: poolInfo is unbounded
src/Swap/BaseV1-core.sol:249:             nextIndex = i + window;

allPairs array: BaseV1-core.sol:L608 BaseV1-core.sol:L564 BaseV1-core.sol:L565 BaseV1-core.sol:L566

src/Swap/BaseV1-core.sol:608:        allPairs.push(pair); //@audit low: a push exist but there's no pop in the solution.

src/Swap/BaseV1-core.sol:564:         for (uint i; i < allPairs.length; ) { //@audit low: poolInfo is unbounded
src/Swap/BaseV1-core.sol:565:             BaseV1Pair(allPairs[i]).setPeriodSize(newPeriod);
src/Swap/BaseV1-core.sol:566:             unchecked {++i;}

Recommendations

Consider introducing a reasonable upper limit based on block gas limits and/or adding a remove method to remove elements in the array.

References:

https://code4rena.com/reports/2022-04-phuture/#l-03-unbounded-loops-with-external-calls