Editing on a previous post to correct some details
Impact
The function _calculateDeltaOfFSD of contract ABC incorrectly converts an int256 type parameter, _reserveDelta, to uint256 by explicit conversion, which in general results in an extremely large number when the provided parameter is negative. The extremely large number could cause a DSMath operation sub at line 43 to underflow and revert, and thus the FSD tokens cannot be burned. (_reserveDelta is negative when burning FSD tokens)
Proof of Concept
Simply calling fsd.burn after a successful fsd.mint will trigger this bug.
fairside-core
commented
3 years ago
Handle
shw
Vulnerability details
Editing on a previous post to correct some details
Impact
The function
_calculateDeltaOfFSDof contractABCincorrectly converts anint256type parameter,_reserveDelta, touint256by explicit conversion, which in general results in an extremely large number when the provided parameter is negative. The extremely large number could cause a DSMath operationsubat line 43 to underflow and revert, and thus the FSD tokens cannot be burned. (_reserveDeltais negative when burning FSD tokens)Proof of Concept
Simply calling
fsd.burnafter a successfulfsd.mintwill trigger this bug.Referenced code: ABC.sol#L43 ABC.sol#L49 ABC.sol#L54
Recommended Mitigation Steps
Should get the
_reserveDeltaabsolute value by anabsfunction, for example: