#48885 [SC-Low] No items length check in remove_item leads to a revert with an underflow
Submitted on Jul 8th 2025 at 18:32:15 UTC by @j3x for Audit Comp | Folks Smart Contract Library
Report ID: #48885
Report Type: Smart Contract
Report severity: Low
Target: https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/UInt64SetLib.py
Impacts:
Description
Brief/Intro
No items length check in remove_item leads to a revert with an underflow.
Vulnerability Details
In UInt64SetLib::remove_item(), the items array length is not verified to be a non-zero value, and the function will directly proceed to subtract from it:
def remove_item(to_remove: UInt64, items: DynamicArray[ARC4UInt64]) -> Tuple[Bool, DynamicArray[ARC4UInt64]]:
last_idx = items.length - 1
...If the items array is empty, this will lead to a subtration from a 0 uint64, which causes a panic.
Impact Details
Contradicts with the system's best design, as it proceeds to directly subtracts from a length of 0, causing a revert with an underflow.
References
https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/UInt64SetLib.py#L32C1-L33C32
Proof of Concept
Proof of Concept
The function
remove_item()is called with an emptyitemsarray.This will lead to an underflow, causing a panic, which reverts the transaction
Mitigation
add the following lines before subtracting:
if items.length == 0:
return Bool(False), items.copy()This will return peacefully in case on an empty set.
Was this helpful?