In several occasions constructions like uint(-1) and uint96(-1) are used the reference the maximum values of uint and uint96.
This relies on the peculiarities of numbers.
Solidity also allows the following constructions:
type(uint).max;
type(uint96).max;
Proof of Concept
.\CToken.sol: startingAllowance = uint(-1);
.\CToken.sol: if (startingAllowance != uint(-1)) {
.\CToken.sol: if (repayAmount == uint(-1)) {
.\CToken.sol: if (repayAmount == uint(-1)) {
.\Governance\Blo.sol: if (rawAmount == uint(-1)) {
.\Governance\Blo.sol: amount = uint96(-1);
.\Governance\Blo.sol: if (spender != src && spenderAllowance != uint96(-1)) {
.\UniswapOracle\UniswapConfig.sol: if (index != uint(-1)) {
.\UniswapOracle\UniswapConfig.sol: if (index != uint(-1)) {
.\UniswapOracle\UniswapConfig.sol: if (index != uint(-1)) {
Tools Used
Grep
Recommended Mitigation Steps
Replace
uint(-1) with type(uint).max
uint96(-1) with type(uint96).max
Handle
gpersoon
Vulnerability details
Impact
In several occasions constructions like uint(-1) and uint96(-1) are used the reference the maximum values of uint and uint96. This relies on the peculiarities of numbers. Solidity also allows the following constructions: type(uint).max; type(uint96).max;
Proof of Concept
.\CToken.sol: startingAllowance = uint(-1); .\CToken.sol: if (startingAllowance != uint(-1)) { .\CToken.sol: if (repayAmount == uint(-1)) { .\CToken.sol: if (repayAmount == uint(-1)) { .\Governance\Blo.sol: if (rawAmount == uint(-1)) { .\Governance\Blo.sol: amount = uint96(-1); .\Governance\Blo.sol: if (spender != src && spenderAllowance != uint96(-1)) { .\UniswapOracle\UniswapConfig.sol: if (index != uint(-1)) { .\UniswapOracle\UniswapConfig.sol: if (index != uint(-1)) { .\UniswapOracle\UniswapConfig.sol: if (index != uint(-1)) {
Tools Used
Grep
Recommended Mitigation Steps
Replace uint(-1) with type(uint).max uint96(-1) with type(uint96).max