The sortVaultsByDelta function performs an unsafe subtraction on two uint256 before casting them to int256.
The subtraction can underflow and the cast to int256 can either fail and revert the transaction (if greater than type(int256).max), or, fit into an int256 and corrupt the correct sorting of the vaults that follows.
int256 delta = int256(
// this is still doing unsafe uint256 subtraction
unifiedAssets[i] - unifiedTotalAssets.mul(targetPercents[i]).div(PERCENTAGE_DECIMAL_FACTOR)
);
Handle
cmichel
Vulnerability details
Vulnerability Details
The
sortVaultsByDelta
function performs an unsafe subtraction on two uint256 before casting them toint256
. The subtraction can underflow and the cast toint256
can either fail and revert the transaction (if greater thantype(int256).max
), or, fit into anint256
and corrupt the correct sorting of the vaults that follows.Example values:
unifiedTotalAssets = 100k
unifiedAssets = [30k, 30k, 40k]
targetPercents = [40%, 30%, 30%]
On
i = 0
, the computation would be:The transaction would then fail because the result is greater than
typeof(int256).max
.Recommended Mitigation Steps
Check each term individually if they fit into an
int256
and cast them toint256
before the subtraction.