You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The removeMarketConfig function introduces an inconsistency by swapping the last configuration in the array with the one being removed. This behavior disrupts the expected indexing of configuration parameters, leading to the creation of markets with unexpected settings when users rely on specific indices.
functionremoveMarketConfig(uint256configIndex)publiconlyAdminwhenNotPaused{//checked// Cannot remove if only one config remainsif(marketConfigs.length<=1){revertInvalidMarketConfigOption("Must keep one config");}// Check if the index is validif(configIndex>=marketConfigs.length){revertInvalidMarketConfigOption("index not found");}emitMarketConfigRemoved(configIndex,marketConfigs[configIndex]);// If this is not the last element, swap with the last elementuint256lastIndex=marketConfigs.length-1;if(configIndex!=lastIndex){
@>marketConfigs[configIndex]=marketConfigs[lastIndex];}// Remove the last element
@>marketConfigs.pop();}
This index swap results in configurations being reordered, breaking the correspondence between indices and their original parameter sets. Users interacting with createMarketWithConfig(configIndex) may unintentionally create markets using unexpected configurations.
Internal pre-conditions
N/A
External pre-conditions
No response
Attack Path
There are 3 configs
Admin removes config at index 1
user create market with configIndex=1
Impact
Markets could be created with unintended initial parameters
PoC
N/A
Mitigation
To address this issue, avoid swapping configurations when removing an entry. Instead:
Use an ordered deletion mechanism that retains the array's structure.
The text was updated successfully, but these errors were encountered:
Quaint Mulberry Mustang
Medium
Market Configuration Index Inconsistency
Summary
The
removeMarketConfigfunction introduces an inconsistency by swapping the last configuration in the array with the one being removed. This behavior disrupts the expected indexing of configuration parameters, leading to the creation of markets with unexpected settings when users rely on specific indices.Root Cause
When a configuration is removed, the function replaces the targeted index with the configuration at the end of the array and then removes the last element:
https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/57c02df7c56f0b18c681a89ebccc28c86c72d8d8/ethos/packages/contracts/contracts/ReputationMarket.sol#L403-L406
This index swap results in configurations being reordered, breaking the correspondence between indices and their original parameter sets. Users interacting with
createMarketWithConfig(configIndex)may unintentionally create markets using unexpected configurations.Internal pre-conditions
N/A
External pre-conditions
No response
Attack Path
Impact
Markets could be created with unintended initial parameters
PoC
N/A
Mitigation
To address this issue, avoid swapping configurations when removing an entry. Instead:
Use an ordered deletion mechanism that retains the array's structure.
The text was updated successfully, but these errors were encountered: