search

code-423n4 / 2021-04-basedloans-findings

0 stars 1 forks source link

uint(-1) #7

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

gpersoon

Vulnerability details

Impact

In several occasions constructions like uint(-1) and uint96(-1) are used the reference the maximum values of uint and uint96. This relies on the peculiarities of numbers. Solidity also allows the following constructions: type(uint).max; type(uint96).max;

Proof of Concept

.\CToken.sol: startingAllowance = uint(-1); .\CToken.sol: if (startingAllowance != uint(-1)) { .\CToken.sol: if (repayAmount == uint(-1)) { .\CToken.sol: if (repayAmount == uint(-1)) { .\Governance\Blo.sol: if (rawAmount == uint(-1)) { .\Governance\Blo.sol: amount = uint96(-1); .\Governance\Blo.sol: if (spender != src && spenderAllowance != uint96(-1)) { .\UniswapOracle\UniswapConfig.sol: if (index != uint(-1)) { .\UniswapOracle\UniswapConfig.sol: if (index != uint(-1)) { .\UniswapOracle\UniswapConfig.sol: if (index != uint(-1)) {

Tools Used

Grep

Recommended Mitigation Steps

Replace uint(-1) with type(uint).max uint96(-1) with type(uint96).max

ghoul-sol commented 3 years ago

Added to backlog for later refactoring, thanks!