Array Length Assumption
Detects parallel array operations that assume equal lengths without validation, risking out-of-bounds access or incomplete processing.
Array Length Assumption
Overview
The array length assumption detector identifies functions that accept multiple array parameters and iterate over them in parallel without verifying that all arrays have the same length. A mismatch causes out-of-bounds access (reverting the entire transaction) or silent truncation where some elements are not processed.
Why This Is an Issue
Functions like batchTransfer(address[] to, uint256[] amounts) implicitly assume to.length == amounts.length. If the caller provides mismatched lengths:
- Solidity 0.8+: reverts with a panic, blocking the entire batch
- Older Solidity: reads garbage data from memory, potentially transferring wrong amounts
Airdrop and multi-send contracts are particularly affected. A single off-by-one in the input arrays can cause the entire distribution to revert.
How to Resolve
// Before: No length validation
function batchTransfer(address[] calldata to, uint256[] calldata amounts) external {
for (uint i = 0; i < to.length; i++) {
token.transfer(to[i], amounts[i]); // Reverts if amounts is shorter
}
}
// After: Explicit length check
function batchTransfer(address[] calldata to, uint256[] calldata amounts) external {
require(to.length == amounts.length, "Length mismatch");
for (uint i = 0; i < to.length; i++) {
token.transfer(to[i], amounts[i]);
}
}Examples
Sample Sigvex Output
{
"detector_id": "array-length-assumption",
"severity": "medium",
"confidence": 0.88,
"description": "Function batchTransfer() iterates over parallel arrays 'to' and 'amounts' without verifying equal lengths. Mismatched inputs cause revert or incorrect processing.",
"location": { "function": "batchTransfer(address[],uint256[])", "offset": 24 }
}Detection Methodology
- Multi-array parameter detection: Identifies functions with two or more array/bytes parameters.
- Parallel iteration scan: Detects loops that index into multiple arrays using the same counter.
- Length comparison check: Verifies whether an equality comparison between array lengths precedes the loop.
Limitations
- Functions where arrays are intentionally different lengths (e.g., one is a subset of the other) will be flagged.
- Struct-of-arrays patterns where the length is implicitly managed may produce false positives.
Related Detectors
- Unchecked Array Bounds — array access without bounds check
- Off By One — boundary errors