Description

The InputStream library can be used to treat a bytes variable as a read-only stream, managing a cursor that is incremented automatically as the stream is consumed.

The readBytes function can be used to read a sequence of bytes from the stream. The sequence is encoded as a length, followed by the contents of the sequence. Since the length is user provided, we believe a potential integer overflow exists in the function.

function readBytes(uint256 stream) internal pure returns (bytes memory res) {
    assembly {
        let pos := mload(stream)
        res := add(pos, 32)
        let length := mload(res)
        mstore(stream, add(res, length))
    }
}

The stream variable keeps track of the current position of the stream. It is updated with the new position after the sequence is read, by adding the length of the sequence, which is user-provided. This addition can overflow.

Impact

This does not represent an exploitable security issue in the context of RouteProcessor3, since the data provided to readBytes is controlled by the same user that invokes the contract. We also believe no reasonable usage of the contract would trigger this bug by accident.

For these reasons, this is reported as informational, with the purpose of providing hardening suggestions for the InputStream library, which might be important if it was used in other contexts.

Recommendations

Ensure the calculation of the new stream position does not overflow.

Remediation

This issue has been acknowledged by Sushiswap.