Omniscia Teahouse Finance Audit
AaveATokenOracle Manual Review Findings
AaveATokenOracle Manual Review Findings
AAT-01M: Inexistent Validation of Array Lengths
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | AaveATokenOracle.sol:L56, L72-L74 |
Description:
The AaveATokenOracle::getBatchValueWithTwap function, in contrast to its AaveATokenOracle::getBatchValue counterpart, does not validate the lengths of its input arrays.
Impact:
Incorrectly formatted arrays can lead to the exploitation of compiler-level vulnerabilities as well as undefined behaviour due to an out-of-bound read operation.
Example:
contracts/oracle/AaveATokenOracle.sol
49/// @inheritdoc IAssetOracle50function getBatchValue(51 address[] calldata _assets,52 uint256[] calldata _amounts53) external override view returns (54 uint256[] memory values55) {56 if (_assets.length != _amounts.length) revert BatchLengthMismatched();57 IAssetOracle _baseAssetOracle = baseAssetOracle;58 values = new uint256[](_assets.length);59
60 for (uint256 i; i < _assets.length; i = i + 1) {61 values[i] = _getValue(_baseAssetOracle, _assets[i], _amounts[i]);62 }63}64
65/// @inheritdoc IAssetOracle66function getValueWithTwap(address _asset, uint256 _amount, uint256 _twap) external override view returns (uint256 value) {67 return _getValueWithTwap(baseAssetOracle, _asset, _amount, _twap);68}69
70/// @inheritdoc IAssetOracle71function getBatchValueWithTwap(72 address[] calldata _assets,73 uint256[] calldata _amounts,74 uint256[] calldata _twaps75) external override view returns (76 uint256[] memory values77) {78 IAssetOracle _baseAssetOracle = baseAssetOracle;79 values = new uint256[](_assets.length);80
81 for (uint256 i; i < _assets.length; i = i + 1) {82 values[i] = _getValueWithTwap(_baseAssetOracle, _assets[i], _amounts[i], _twaps[i]);83 }84}Recommendation:
We advise the input arrays to be validated, ensuring that proper length arrays have been passed into the function.
Alleviation (302b96f324a88038a0872015466cd43783c14543):
The input array lengths are now properly validated, yielding a BatchLengthMismatched error in case they do not equal each other.