001.md

Stable Graphite Rooster

High

Function _getStakeholdersForMarket will be revert with stack overflow and getAllVerifiedLendersForMarket and getAllVerifiedBorrowersForMarket will revert.

Summary

There is stack overflow in function _getStakeholdersForMarket.

Root Cause

https://github.com/sherlock-audit/2024-11-teller-finance-update/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/MarketRegistry.sol#L1019

Internal pre-conditions

1. Anyone needs to call getAllVerifiedLendersForMarket or getAllVerifiedBorrowersForMarket.
2. In function _getStakeholdersForMarket, the conditions start <= len, start < end and start > 0 will hold.

External pre-conditions

No response

Attack Path

1. Someone calls getAllVerifiedLendersForMarket or getAllVerifiedBorrowersForMarket.
2. If start <= len, start < end and start > 0, a stack overflow occurs at the line stakeholders_[i] = _set.at(i);

Impact

The protocol fails to retrieve verified borrowers or lenders for market because it reverts due to a stack overflow.

PoC

No response

Mitigation

The _getStakeholdersForMarket function should be corrected as follows.

function _getStakeholdersForMarket(
        EnumerableSet.AddressSet storage _set,
        uint256 _page,
        uint256 _perPage
    ) internal view returns (address[] memory stakeholders_) {
        uint256 len = _set.length();

        uint256 start = _page * _perPage;
        if (start <= len) {
            uint256 end = start + _perPage;
            // Ensure we do not go out of bounds
            if (end > len) {
                end = len;
            }

            stakeholders_ = new address[](end - start);
            for (uint256 i = start; i < end; i++) {
-              stakeholders_[i] = _set.at(i); 
+              stakeholders_[i - start] = _set.at(i);  // Correct indexing by offset  
            }
        }
    }