Skip to content

Latest commit

 

History

History
60 lines (36 loc) · 2.57 KB

072.md

File metadata and controls

60 lines (36 loc) · 2.57 KB

Square Flint Grasshopper

Medium

Critical Index Mismatch in removeMarketConfig: Off-Chain Data Integrity at Risk

Summary

The removeMarketConfig function swaps the configuration to be removed with the last configuration in the array before removing it. This causes an inconsistency in the index-to-config mapping without emitting an event to indicate the change. Indexers relying on the emitted events may retain outdated references, leading to incorrect data in off-chain systems.

To address this issue, emit a new event, MarketConfigUpdated, whenever a configuration is swapped to update indexers with the new mapping.

Root Cause

Internal pre-conditions

No response

External pre-conditions

  • Multiple market configurations exist in the marketConfigs array.
  • At least one configuration index is tracked off-chain by an indexer based on emitted events (MarketConfigAdded).

Attack Path

  • A user or admin removes a configuration at an index other than the last one.
  • The function swaps the configuration with the last one and emits a MarketConfigRemoved event for the removed index.
  • No event is emitted for the new mapping of the swapped configuration.
  • Indexers retain outdated mappings, causing inconsistencies in off-chain systems and potentially leading to errors in user interfaces or reporting systems.

Impact

While this bug does not compromise on-chain functionality or security, it affects the reliability of off-chain systems, which can lead to incorrect data being displayed to users or invalid operations in dependent systems.

PoC

No response

Mitigation

Introduce a new event, MarketConfigUpdated, and emit it whenever a configuration index is changed due to the swap.

event MarketConfigUpdated(uint256 oldIndex, uint256 newIndex, MarketConfig updatedConfig);

Update the removeMarketConfig function to emit the new event:

if (configIndex != lastIndex) {
    marketConfigs[configIndex] = marketConfigs[lastIndex];
    emit MarketConfigUpdated(lastIndex, configIndex, marketConfigs[configIndex]);
}

This ensures indexers can track updates to the index mapping and maintain accurate off-chain data.