Audit: Revert if `start>stop`
Closed this issue · 3 comments
0x3agle commented
- At multiple instances, the stop value is capped by
array.length - After that make sure that
start < stopotherwiserevertwith a custom error. - This approach ensures the indices are valid and within the array's bounds, preventing out-of-range errors and improving the contract's robustness.
Instances:
- https://github.com/Steemhunt/mint.club-v2-contract/blob/main/contracts/Locker.sol#L90
- https://github.com/Steemhunt/mint.club-v2-contract/blob/main/contracts/Locker.sol#L114
- https://github.com/Steemhunt/mint.club-v2-contract/blob/main/contracts/Locker.sol#L114
- https://github.com/Steemhunt/mint.club-v2-contract/blob/main/contracts/MCV2_Bond.sol#L467
- https://github.com/Steemhunt/mint.club-v2-contract/blob/main/contracts/MCV2_Bond.sol#L499
- https://github.com/Steemhunt/mint.club-v2-contract/blob/main/contracts/MCV2_Bond.sol#L523
- https://github.com/Steemhunt/mint.club-v2-contract/blob/main/contracts/MerkleDistributor.sol#L190
- https://github.com/Steemhunt/mint.club-v2-contract/blob/main/contracts/MerkleDistributor.sol#L214
the-first-elder commented
There is an unchecked keyword it doesn't matter
unchecked {
uint256 lockUpsLength = lockUps.length;
if (stop > lockUpsLength) {
stop = lockUpsLength;
}
uint256 count;
for (uint256 i = start; i < stop; ++i) {
if (lockUps[i].token == token) ++count;
}
ids = new uint256[](count);
uint256 j;
for (uint256 i = start; i < stop; ++i) {
if (lockUps[i].token == token) {
ids[j++] = i;
if (j == count) break;
}
}
}sydneyitguy commented
It won't revert with custom error if start < stop
because
uint256 count;
for (uint256 i = start; i < stop; ++i) {
if (tokenBond[tokens[i]].reserveToken == reserveToken) ++count;
}it will just set the count zero, and an empty address is returned
0x3agle commented
Agreed