#49559 [SC-Low] The remove functionality in `UInt64SetLib::remove_item` underflows on empty array

Submitted on Jul 17th 2025 at 08:37:56 UTC by @NHristov for Audit Comp | Folks Smart Contract Library

• Report ID: #49559

• Report Type: Smart Contract

• Report severity: Low

• Target: https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/UInt64SetLib.py

• Impacts:

  • Temporary denial of service for more than one block

Description

Brief/Intro

The UInt64SetLib::remove_item computes the last index as

last_idx = items.length - 1

without first checking if the passed array is empty. If you call remove_item with an empty array, items.length - 1 underflows to a negative value and immediately aborts the TEAL execution, reverting the transaction.

Vulnerability Details

In contracts/library/UInt64SetLib.py we have:

and if we pass an empty array, items.length is 0, so last_idx becomes -1. This leads to an immediate TEAL abort with the error message copied from the PoC test below as follows:

That “frame dig ‑1” error is coming from this line:

When items.length is 0, you end up emitting TEAL that does:

Which effectively computes 0 - 1 in unsigned land, underflows, and blows up with “frame dig ‑1”.

Impact Details

Any consumer of remove_item that passes an empty array will experience an immediate revert. This can lead to:

• Unexpected Denial-of-Service in higher-level logic that relies on safe removal.

• Forcing callers to add additional pre-checks, undermining the library’s usability guarantees.

Remediation

Add an explicit guard against an empty array at the top of remove_item, for example:

References

• Vulnerable code: contracts/library/UInt64SetLib.py: remove_item

Proof of Concept

Proof of Concept

In tests/library/UInt64SetLib.test.ts append the following test under the describe("remove item") block: