Assessment reports>Ionic Protocol>Low findings>Lack of input validation in initialize
Category: Code Maturity

Lack of input validation in initialize

Low Severity
Low Impact
Low Likelihood


The initialize function in both CurveLpTokenPriceOracleNoRegistry and FusePoolLens does not validate the passed array parameters which may lead to unintended storage outcomes.


In both of the initialize functions, Ionic Protocol uses a for-loop to iterate through array parameters and append them to a mapping variable. If the lengths of the arrays are not equal, the initialize call will either revert or complete successfully with missing data.

In CurveLpTokenPriceOracleNoRegistry, the mappings poolOf and underlyingTokens may not be set to the intended values if the length of the array _lpTokens is less than the length of either the _pools or _poolUnderlyings arrays.

In FusePoolLens, the mapping variable hardcoded stores the mapping of token addresses (_hardcodedAddresses) to TokenData which includes a token's name and symbol. If the length of the _hardcodedAddresses array is less than the length of the _hardcodedNames or _hardcodedSymbols arrays, then parameters in those arrays that exist after _hardcodedAddresses.length will not be stored.


Consider adding require statements in the initialize function to validate user-controlled data input and to ensure that array lengths are equal.


The issue has been fixed by Ionic Protocol in commit c71037.

Zellic © 2023Back to top ↑