search

code-423n4 / 2021-08-notional-findings

3 stars 0 forks source link

unsafe cast from int to uint can lead to incentive abuse #8

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

Omik

Vulnerability details

Impact

in the https://github.com/code-423n4/2021-08-notional/blob/main/contracts/internal/balances/Incentives.sol#L84 When doing claim incentive, it reads from the storedntokenbalance, and change it from int to uint, it works as expected when the storedntokenbalance is positive, but when the value of the storedntokenbalance become negative, the negative value of int, would be change to uint unsafely, and can make storedntokenbalance extremely high when claiming incentives.

Proof of Concept

https://github.com/code-423n4/2021-08-notional/blob/main/contracts/internal/balances/Incentives.sol#L84

Recommended Mitigation Steps

use openzepplin safecast

jeffywu commented 3 years ago

nTokenBalance is int256 on the stack but cannot be stored as a negative number. There does not appear to be away to actually generate an overflow this way. https://github.com/code-423n4/2021-08-notional/blob/main/contracts/internal/balances/BalanceHandler.sol#L379

ghoul-sol commented 3 years ago

per sponsor comment, making this a best practice recommendation ergo non-critical