Array Length Assumption Remediation
Overview
Functions that accept several array parameters and index into them with one counter implicitly assume the arrays are the same length. A mismatch either reverts the whole transaction (Solidity 0.8+) or, in older compilers, reads adjacent memory and processes wrong values. The fix is a single equality check before the loop.
Related Detector: Array Length Assumption
Recommended Fix
Before (Vulnerable)
function batchTransfer(address[] calldata to, uint256[] calldata amounts) external {
for (uint i = 0; i < to.length; i++) {
token.transfer(to[i], amounts[i]); // Reverts if amounts is shorter
}
}
After (Fixed)
function batchTransfer(address[] calldata to, uint256[] calldata amounts) external {
require(to.length == amounts.length, "Length mismatch");
for (uint i = 0; i < to.length; i++) {
token.transfer(to[i], amounts[i]);
}
}
The require rejects mismatched inputs up front with a clear error, so the loop never reads past the end of the shorter array and the caller learns exactly why the call failed.
Alternative Mitigations
- Replace parallel arrays with a single array of structs, which makes a length mismatch impossible to express.
- Validate every array length against each other when more than two are involved.
- For very large batches, also bound the length so a single call cannot exceed the block gas limit.
Common Mistakes
- Checking only two of three or more parallel arrays.
- Iterating to the longest array’s length instead of guaranteeing equal lengths, which still reads out of bounds.
- Relying on the 0.8+ panic as the only safeguard, which gives users an opaque revert.