search

code-423n4 / 2022-01-xdefi-findings

0 stars 0 forks source link

Unsafe type casting #142

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L273-L275

depositedXDEFI: uint88(amount_),
expiry: uint32(block.timestamp + duration_),
created: uint32(block.timestamp),

Downcasting from uint256/int256 in Solidity does not revert on overflow. This can easily result in undesired exploitation or bugs.

Recommendation

Consider using SafeCast library from OpenZeppelin.

https://docs.openzeppelin.com/contracts/4.x/api/utils#SafeCast

deluca-mike commented 2 years ago

amount_ can never be larger than a uint88 since there are only 240M (18 decimals) XDEFI tokens. block.timestamp will never be larger than a uint32 for 50 years. There is no risk here. Perhaps informational as I can leave a comment.

deluca-mike commented 2 years ago

Relevant comments were left in the release candidate contracts.