code-423n4 / 2022-01-xdefi-findings

0 stars 0 forks source link

Insufficient input validation on `multipliers` #140

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

Dravee

Vulnerability details

Impact

Bounds should be checked so that the bonusMultiplier is always between 100 and 255

Proof of Concept

Bounds aren't checked for multipliers[i] here: https://github.com/XDeFi-tech/xdefi-distribution/blob/v1.0.0-beta.0/contracts/XDEFIDistribution.sol#L77-L85

Tools Used

VS Code

Recommended Mitigation Steps

Make sure that every multipliers[i] is bounded between 100 and 255 with require statements

deluca-mike commented 2 years ago

As far as I am aware, even if arguments are all really 256-bits, despite being defined as 8-bits, the EVM will return a value out-of-bounds error when providing a uint8 value is parsed as is larger than 255.

Ivshti commented 2 years ago

agreed with sponsor