getStableAmountsOut does not validate for path and flag

[hats-bug-reporter]

Github username: --
Twitter username: --
Submission hash (on-chain): 0x6dc05071e4ecae82f9af1c750cecdbb575d594d60e78a9787830a8404cd14b13
Severity: low

Description:
Description
The getStableAmountsOut function does not check for path and flag arrays.this can leads to issue like unexpected outcomes if the arrays are not properly aligned.

function getOutputStableSwap(
        address[] calldata path,
        uint256[] calldata flag,
        uint256 amountIn,
        uint256 amountOutMin
    ) external view returns (uint256 amountOut) {
        amountOut = SmartRouterHelper.getStableAmountsOut(
            stableSwapFactory,
            path,
            flag,
            amountIn
        )[path.length - 1];
        require(
            amountOut >= amountOutMin,
            "The amount of token is smaller than expected"
        );
        return amountOut;
    }

• The getStableAmountsOut function is designed to calculate the output amounts for a series of stable swaps defined by the path array, which contains the token addresses involved in the swaps.
• The flag array is intended to specify the pool type for each swap, with each element corresponding to a swap between two consecutive tokens in the path.
• The function currently checks that path.length is at least 2, ensuring there are at least two tokens for a swap.

Attachments

1. Proof of Concept (PoC) File

issue

• If flag.length is less than path.length - 1, the function will attempt to access an out-of-bounds index in the flag array during the loop, leading to a runtime error.
• there is no check to ensure that flag.length is equal to path.length - 1, which is necessary for each swap to have a corresponding pool type.
• If flag.length is greater than path.length - 1, the extra elements in flag will be ignored, which might indicate a logical error in the input data.

2. Revised Code File (Optional)

function getStableAmountsOut(
    address stableSwapFactory,
    address[] memory path,
    uint256[] memory flag,
    uint256 amountIn
) public view returns (uint256[] memory amounts) {
    uint256 length = path.length;
    require(length >= 2, "getStableAmountsIn: incorrect length");
    require(flag.length == length - 1, "getStableAmountsOut: flag length mismatch");

    amounts = new uint256[](length);
    amounts[0] = amountIn;
    for (uint256 i = 0; i < length - 1; i++) {
        (uint256 k, uint256 j, address swapContract) = getStableInfo(stableSwapFactory, path[i], path[i + 1], flag[i]);
        amounts[i + 1] = IStableSwap(swapContract).get_dy(k, j, amounts[i]);
    }
}

[omega-audits]

This is a helper function that is not used internally in the contract. There are many ways to call this function badly, with useless arguments, but it is up to the caller to provide sensible arguments, and it is a tradeoff (between gas costs and complexity against UX) to add checks for harmless errors, which in this case was made in favor of simplicity and saving gas.