Description

The function _thresholdWeight performs a calculation of weights for a set of vaults based on their return on investment (ROI) compared to a threshold value. However, during the process of identifying valid vaults, the validIds array is populated with both valid indexes and zeros, which leads to unintended behavior.

The second loop iterates over this array to calculate weights only until validCount. But validCount is less than the actual validIds size. So the weights will be calculated only for the first validCount elements from the validIds array, regardless of whether they are valid indexes or zeros.

function _thresholdWeight(
    address[] memory vaults,
    uint256[] memory epochIds
) internal view returns (uint256[] memory weights) {
    ...
    for (uint256 i; i < vaults.length; ) {
        uint256 roi = _fetchReturn(vaults[i], epochIds[i], marketIds[i]);
        if (roi > threshold) {
            validCount += 1;
            validIds[i] = i;
        }
        unchecked {
            i++;
        }
    }
    ...
    uint256 modulo = 10_000 % validCount;
    for (uint j; j < validCount; ) {
        uint256 location = validIds[j];
        weights[location] = 10_000 / validCount;
        if (modulo > 0) {
            weights[location] += 1;
            modulo -= 1;
        }
        unchecked {
            j++;
        }
    }
}

Impact

This behavior leads to missing weights calculations for a portion of the valid vaults.

Recommendations

We recommend correcting the second loop so that it iterates the entire length of the validIds array and counts the weights only if the validIds[j] is not zero.

Remediation

The issue was fixed in commit d9ee9d3↗.