drgorillamd
commented
1 year ago Nice finding, disagree with severity (another tier can be added to fix it/no function/availability of the protocol impacted)
Closed code423n4 closed 1 year ago
drgorillamd
commented
1 year ago Nice finding, disagree with severity (another tier can be added to fix it/no function/availability of the protocol impacted)
c4-judge
commented
1 year ago Picodes marked the issue as duplicate
c4-judge
commented
1 year ago Picodes marked the issue as satisfactory
Lines of code
https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateStore.sol#L688-L696
Vulnerability details
Solidity won't perform automatic checks when downcasting and it's possible for some fields to overflow while adding tiers.
Proof of Concept
JBTiered721DelegateStore.recordAddTiers(), one item for_tiersToAddcontainsvotingUnitsbigger than the size of uint16, e.g. 65536._storedTierOfwill overflow, e.g. if the input is 65536 the value will be 0.Similar behavior can occur for other fields for a tier.
https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateStore.sol#L688-L696
Impact
Slient overflows will affect tier accouting and can cause unexpected behavior in the protocol.
Recommended Mitigation Steps
Make use of a safe-cast library. E.g. OpenZeppelin's SafeCast.