Get $100 in free credits when you sign up
AuditBase
AuditBase
Sign InGet Started
lowL008

Array lengths not checked

Learn about the security issue of not checking array lengths in Solidity smart contracts. Discover why mismatched array sizes can lead to incomplete user operations.

Category

low-severity

Languages

solidity

Analysis Layer

static

Severity

low

If the length of the arrays are not required to be of the same length, user operations may not be fully executed due to a mismatch in the number of items iterated over, versus the number of items provided in the second array.

Consider the following Solidity code snippet:

pragma solidity ^0.8.0;

contract ArrayLengths {
    uint[] public arrayOne;
    uint[] public arrayTwo;

    constructor(uint[] memory _arrayOne, uint[] memory _arrayTwo) {
        arrayOne = _arrayOne;
        arrayTwo = _arrayTwo;
    }

    function performOperation() public {
        require(arrayOne.length == arrayTwo.length, "Arrays must have the same length");

        for (uint i = 0; i < arrayOne.length; i++) {
            // Perform some operation based on the values in both arrays
        }
    }
}

In this example, we have a contract ArrayLengths with two public arrays arrayOne and arrayTwo. The performOperation function is intended to perform some operation on the values in both arrays.

However, notice that we do not check if the lengths of the arrays are equal before iterating over them. This can lead to unexpected behavior and potential security vulnerabilities.

If a user provides two arrays with different lengths, the performOperation function will iterate only up to the length of the shorter array. As a result, some elements in the longer array will not be considered for the operation.

To mitigate this issue, it is crucial to check and enforce that the lengths of the arrays are equal before performing any operations on them. Updated code with the length check is as follows:

function performOperation() public {
    require(arrayOne.length == arrayTwo.length, "Arrays must have the same length");

    for (uint i = 0; i < arrayOne.length; i++) {
        // Perform some operation based on the values in both arrays
    }
}

By incorporating the require statement, we ensure that the arrays have the same length before executing the operation. If the lengths do not match, the transaction will revert with a helpful error message.

It is essential to consider array lengths when designing smart contracts, especially when user-provided inputs are involved. Failing to check array lengths can lead to inconsistent behavior and potential security vulnerabilities.

Take the time to thoroughly test your contracts, including different array length scenarios, to ensure that your smart contracts are secure and functioning as intended.

Scan Your Contracts← All detectors