Closed code423n4 closed 1 year ago
Impossible for this scenario to occur. AmountToTransfer is calculated using _shares, which is the balance of the fees accumulated. It is impossible to accumulate enough fees such that _shares would be large enough to cause _amountToTransfer to be larger than uint128. In order for this to happen the contract would already have been broken with overflows of totalAsset.amount.
Fees are prevented from overflowing as per this line
This scenario is impossible. Marking invalid.
Lines of code
https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPair.sol#L234-L263
Vulnerability details
Impact
The downcast
uint128(_amountToTransfer)
can result in an overflow, which would impact the_totalAsset.amout
local variable, resulting in an incorrect amount for thetotalAsset.amount
state variable.Proof of Concept
_totalAsset.amount
will apply the decrement on the value resulted from the overflow, e.g. (340282366920938463463374607431768211455 + 1) = 0.amount
for thetotalAsset
state variable will persist an incorrect value, possibily smaller than intended.Recommended Mitigation Steps
Apply downcasting using the
safeCast
library from OpenZeppelin.