code-423n4/2024-07-loopfi-validation

No array length check in multisend

Closed this issue · 0 comments

c4-bot-1 commented

Lines of code

https://github.com/code-423n4/2024-07-loopfi/blob/main/src/proxy/PositionAction.sol#L269

Vulnerability details

Impact

Detailed description of the impact of this finding.
Here there is no array length check in multisend.
There is no array length check whether targets ,data and delegateCall are all same length.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
function multisend(
address[] calldata targets,
bytes[] calldata data,
bool[] calldata delegateCall
) external onlyDelegatecall {
uint256 totalTargets = targets.length;
for (uint256 i; i < totalTargets; ) {
if (delegateCall[i]) {
_delegateCall(targets[i], data[i]);
} else {
(bool success, bytes memory response) = targets[i].call(data[i]);
if (!success) _revertBytes(response);
}
unchecked {
++i;
}
}
}

Tools Used

Recommended Mitigation Steps

require(targets.length==data.length);
require(data.length==delegateCall.length);

Assessed type

Context