georgits
medium
Unhandled case when tokens doesn't exist in the collateral array.
In USSD.sol there is getCollateralIndex() method which find the index of the passed token address in the collateral array.
If the passed token address doesn't exist in the collateral array the return value of getCollateralIndex() will be collateral.length since the for loop will end and the last value of index will be collateral.length.
This can lead to unexpected behaviour because getCollateralIndex() is public, meaning it is called both internally and externally.
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSD.sol#L125-L133
function getCollateralIndex(
address _token
) public view returns (uint256 index) {
for (index = 0; index < collateral.length; index++) {
if (collateral[index].token == _token) {
return index;
}
}
}Manual Review
Revert after the loop ends to indicate there is no such token in the collateral array.
function getCollateralIndex(
address _token
) public view returns (uint256 index) {
for (index = 0; index < collateral.length; index++) {
if (collateral[index].token == _token) {
return index;
}
}
revert("Token not found.");
}