search

code-423n4 / 2022-03-maple-findings

0 stars 0 forks source link

Unsafe Cast #1

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/maple-labs/revenue-distribution-token/releases/tag/v1.0.0-beta.1

Vulnerability details

use openzeppilin's safeCast in:

    RevenueDistributionToken.mint : unsafe cast int(shares_)
    RevenueDistributionToken.mintWithPermit : unsafe cast int(shares_)
lucas-manuel commented 2 years ago

I believe this issue was found by searching for int(. We do not do any uint => int casting in RDT.

Here sore the two examples they are referring to: https://github.com/maple-labs/revenue-distribution-token/blob/41a3e40bf8c109ff19b38b80fde300c44fd42a3d/contracts/RevenueDistributionToken.sol#L118 https://github.com/maple-labs/revenue-distribution-token/blob/41a3e40bf8c109ff19b38b80fde300c44fd42a3d/contracts/RevenueDistributionToken.sol#L132

Both are previewMint(shares_) which contains int(shares_)

dmvt commented 2 years ago

agree with sponsor