Platform: Code4rena
Start Date: 09/02/2024
Pot Size: $60,500 USDC
Total HM: 17
Participants: 283
Period: 12 days
Judge:
Id: 328
League: ETH
Rank: 176/283
Findings: 1
Award: $8.81
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: givn
Also found by: 0x11singh99, 0xAkira, 0xBinChook, 0xDetermination, 0xMosh, 0xStriker, 0xmystery, 14si2o_Flint, 7ashraf, Aamir, AlexCzm, BARW, Bauchibred, BenasVol, BigVeezus, Blank_Space, Bube, DarkTower, DeFiHackLabs, EagleSecurity, KmanOfficial, Krace, McToady, MrPotatoMagic, PetarTolev, Rolezn, SHA_256, SpicyMeatball, Tekken, Timenov, ZanyBonzy, agadzhalov, alexzoid, boredpukar, btk, cartlex_, dimulski, forkforkdog, haxatron, immeas, jesjupyter, juancito, kartik_giri_47538, klau5, lsaudit, merlinboii, nuthan2x, offside0011, oualidpro, peter, radev_sw, rekxor, rspadi, shaflow2, shaka, swizz, vnavascues, yotov721, yovchev_yoan
8.8123 USDC - $8.81
https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/MergingPool.sol#L205
The getFighterPoints function is designed to retrieve an array of points for fighters up to a specified maximum token ID via maxId. However, due to a critical oversight, the array points is initialized with a fixed length of 1, regardless of the maxId provided.
This mismatch between the array's size and the intended number of elements to store results in an inevitable index out of bounds error when maxId exceeds 1. This flaw not only prevents the function from executing as intended but also poses a risk of transaction failures for calls to this function, leading to potential disruption in user experience and unnecessary consumption of gas for failed transactions.
/// @audit - Potential Enumeration Issue in getFighterPoints /// @notice Retrieves the points for multiple fighters up to the specified maximum token ID. /// @param maxId The maximum token ID up to which the points will be retrieved. /// @return An array of points corresponding to the fighters' token IDs. function getFighterPoints(uint256 maxId) public view returns(uint256[] memory) { uint256[] memory points = new uint256[](1); for (uint256 i = 0; i < maxId; i++) { points[i] = fighterPoints[i]; } return points; }
Consider a scenario where the contract has registered points for 100 fighters (token IDs 0 through 99). A call to getFighterPoints with maxId = 100 aims to retrieve points for all 100 fighters.
However, due to the array being initialized to a length of 1, attempting to access points[1] for the second fighter, with token ID 1, and beyond results in an index out of bounds error, causing the transaction to revert.
Manual Review
Modify the initialization of the points array to match the intended number of elements based on maxId, ensuring the array is correctly sized to hold points for all fighters up to maxId.
function getFighterPoints(uint256 maxId) public view returns(uint256[] memory) { - uint256[] memory points = new uint256[](1); + uint256[] memory points = new uint256[](maxId); for (uint256 i = 0; i < maxId; i++) { points[i] = fighterPoints[i]; } return points; }
Error
#0 - c4-pre-sort
2024-02-22T23:53:54Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-02-22T23:54:05Z
raymondfam marked the issue as duplicate of #48
#2 - c4-judge
2024-03-08T03:33:16Z
HickupHH3 changed the severity to QA (Quality Assurance)