search

code-423n4 / 2022-03-volt-findings

0 stars 0 forks source link

Unsafe Cast #57

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-volt/tree/main/contracts/oracle/ScalingPriceOracle.sol#L171 https://github.com/code-423n4/2022-03-volt/tree/main/contracts/vcon/Vcon.sol#L508 https://github.com/code-423n4/2022-03-volt/tree/main/contracts/vcon/Vcon.sol#L499

Vulnerability details

use openzeppilin's safeCast in:

    https://github.com/code-423n4/2022-03-volt/tree/main/contracts/oracle/ScalingPriceOracle.sol#L171 : unsafe cast uint128(_cpiData)
    https://github.com/code-423n4/2022-03-volt/tree/main/contracts/vcon/Vcon.sol#L508 : unsafe cast uint96(n)
    https://github.com/code-423n4/2022-03-volt/tree/main/contracts/vcon/Vcon.sol#L499 : unsafe cast uint32(n)
ElliotFriedman commented 2 years ago

VCON is out of scope for this contest per the contest rules.

Currently, numbers for inflation that are passed to the ScalingPriceOracle are in the hundreds of thousands. It would take over 25 orders of magnitude increase in consumer prices for the downcast from uint256 to uint128 to have any effect.

This should be marked low risk.