search

code-423n4 / 2021-11-badgerzaps-findings

0 stars 0 forks source link

Missing overflow protection #13

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

pmerkleplant

Vulnerability details

Impact

Function deposit in IbbtcVaultZap.sol computes two additions without overflow protection, see lines 158 and 166.

In the first case, i.e. line 158, the addition can be changed to an assignment, as depositAmount[i] is always 0.

In the second case, i.e. line 166, an overflow would lead to a wrong amount of funds deposited into Curve and from there to a wrong amount of LP tokens send to the msg.sender.

Recommended Steps of Mitigation

As OpenZeppelin's SafeMathUpgradeable library is already imported, use their add function instead of the native + operator.

0xleastwood commented 2 years ago

Highly unlikely to overflow on uint256 amounts but will keep as low risk to ensure it is properly fixed. Would require an incredibly large amount of assets as safeTransferFrom transfers these assets from msg.sender to the contract.