Potential Mismanagement of Array Lengths in WEDXManager
updateTraderData pushes new performance/timestamp/minLiquidity entries before popping older ones, leaving the arrays temporarily over the configured _nPoints length during the same transaction.
Description
The WEDXManager smart contract, responsible for tracking and updating trader data and computing rankings, has a potential vulnerability related to the management of trader data arrays.
The issue arises in the handling of the array lengths during updates to trader data, which, if not strictly managed, could lead to data inconsistencies or unexpected behavior, especially during interactions with external contracts like Uniswap.
The updateTraderData function in WEDXManager is designed to update trader data whenever a trader rebalances their portfolio, or deposits or withdraws assets.
This function manipulates several arrays (performances, timestamps, minLiquidity) that track trader activities. When the array length exceeds _nPoints, the oldest entries are supposed to be shifted out to maintain a fixed length. However, there's a brief moment where the array length exceeds the intended fixed length (_nPoints) before the older entries are removed.
This happens because new data is pushed to the arrays before the excess data is popped out. Although this is resolved within the same transaction and the arrays are corrected before the function execution completes, the brief inconsistency poses a theoretical risk, especially when combined with external calls.
Impact
The primary risk is related to potential misuse or unexpected behavior when interacting with external systems or during data retrieval and manipulation. If external functions depend on the assumption that these arrays never exceed their maximum length (_nPoints), even temporary violations of this assumption could lead to errors or vulnerabilities, especially in high-stress scenarios or attacks aimed at contract's state integrity.
The issue can be highlighted through a series of operations that show the array exceeding its intended maximum size within the transaction execution:
traderData[traderId].performances.push(newPerformance);traderData[traderId].timestamps.push(newTimestamp);traderData[traderId].minLiquidity.push(newLiquidity);// Arrays now exceed the intended sizerequire(traderData[traderId].performances.length == _nPoints + 1, "Array length exceeded temporarily");// Correcting the array sizefor (uint i = 0; i < _nPoints; i++) {// shifting logic}traderData[traderId].performances.pop();traderData[traderId].timestamps.pop();traderData[traderId].minLiquidity.pop();
Recommendation
To prevent any issues associated with this temporary array size increase, it is recommended to adjust the array management strategy by ensuring the arrays are maintained at the maximum size without exceeding it at any point during the function execution. This can be achieved by popping the excess elements before pushing new data:
if (traderData[traderId].performances.length >= _nPoints) {traderData[traderId].performances.pop();traderData[traderId].timestamps.pop();traderData[traderId].minLiquidity.pop();}// Now safely add new datatraderData[traderId].performances.push(newPerformance);traderData[traderId].timestamps.push(newTimestamp);traderData[traderId].minLiquidity.push(newLiquidity);
This change ensures the length of the arrays is strictly controlled, eliminating any brief inconsistencies and strengthening the contract's robustness, especially in interactions involving external contract calls.
