search

code-423n4 / 2021-05-yield-findings

0 stars 0 forks source link

Implicit unsafe math #24

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

Ladle._close (and many other occurrences) reverts the transaction on certain signed inputs that are negated and cast to unsigned integers.

// Ladle._close calling it with art or ink as type(int128).min will crash
uint128 amt = _debtInBase(vault.seriesId, series, uint128(-art));
ilkJoin.exit(to, uint128(-ink))

// explanation
int128 art = type(int128).min; // -2^127
uint128 amt = uint128(-art); // this fails as -art=--2^127=2^127 cannot be represented in int128

Other places:

Impact

One cannot use the actual type(int128).min value for function parameters.

Recommended Mitigation Steps

Revert with a meaningful error message as is done in the /math/Cast* functions.

alcueca commented 3 years ago

You are right, I must have got my boundaries confused.

alcueca commented 3 years ago

However, this will only cause rare transactions that would revert to still revert, just with a more meaningful message. Is this a non-critical or a low risk?