F-2024-0008·missing-validation

Unintended Reset of Portfolio with Empty newAssets Array

Acknowledgedindex-funddefirebalancing
TL;DR

_setPortfolio accepts an empty newAssets array, silently resetting the portfolio to hold only WNATIVE and skipping asset-pool validation; behaviour is likely unintended even if not financially damaging.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

The _setPortfolio function in WEDXBasePortfolio might be called with an empty newAssets array, leading to the portfolio being reset to holding only the native token (WNATIVE). While this does not cause a significant imbalance, it might not be the intended behavior.

The internal _setPortfolio function can be called with an empty newAssets array from the public setPortfolio function in derived contracts (WEDXIndexPortfolio and WEDXProPortfolio). This causes:

  • Skipping validation of asset pools.
  • Resetting the tokenAddresses array to only [WNATIVE].
  • Executing _changeDistribution with newDistribution.

This effectively resets the portfolio, which might not be intended behavior but does not cause a significant imbalance if newDistribution is correctly set.

03Section · Recommendation

Recommendation

Require Non-Empty newAssets Array:

solidity
function _setPortfolio(address[] memory newAssets, uint256[] memory newDistribution, uint256 fee)
internal virtual returns (uint256) {
    require(newAssets.length > 0, "Assets array cannot be empty");
    ...
}

This ensures that the newAssets array is not empty, preventing accidental resets and maintaining the intended state of the portfolio.

ZEALYNX SECURITY · published 2024-05-28
F-2024-0008

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx