# #49938 \[SC-Low] Underflow Revert in \`remove\_item\` When Removing from an Empty Array **Submitted on Jul 20th 2025 at 16:30:46 UTC by @Afriauditor for** [**Audit Comp | Folks Smart Contract Library**](https://immunefi.com/audit-competition/folks-sc-library) * **Report ID:** #49938 * **Report Type:** Smart Contract * **Report severity:** Low * **Target:** * **Impacts:** * Contract fails to deliver promised returns, but doesn't lose value ## Description ## Brief/Intro The `remove_item` subroutine in `UInt64SetLib` unconditionally computes `last_idx = items.length - 1,` which underflows when the array is empty and causes the transaction to revert instead of returning `(false, items)`, leading to unexpected failures or DoS in production. ## Vulnerability Details In the first line of `remove_item` the code does: ``` last_idx = items.length - 1 ``` Because there is no check for an empty array before this subtraction, any call to `remove_item(x, [])` will immediately abort the TEAL execution at that line, bypassing the intended “not present” return path. So the function violates its specification and any upstream contract logic reverts ## Impact Details Because `remove_item aborts` instead of returning the promised `(false, items)` when called on an empty array, any contract logic that depends on that return value will itself revert or misbehave breaking workflows ## References ## Proof of Concept ## Proof of Concept 1. **Deploy the `UInt64SetLibExposed` application** so you have an ABI method `dynamicRemoveItem` that calls `remove_item` on a box-backed array. 2. **Reset the box** to an empty array by invoking its `dynamicReset` method (or equivalent), ensuring `items.length == 0`. 3. **Attempt to remove** any value (e.g. `123`) by calling `dynamicRemoveItem({ args: [123], boxReferences: ["uint64_set"] })`. 4. **Watch the transaction revert** with an underflow or “invalid subtract” error at the very first line of `remove_item`. 5. **Confirm that no `(false, items)`** return is ever emitted and that the fallback return path is never reached. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/folks-smart-contract-library/49938-sc-low-underflow-revert-in-remove_item-when-removing-from-an-empty-array.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.