Closed code423n4 closed 1 year ago
baseAmount is uint128 and cliffPercent is checked to be under 1e18. Therefore, cliff amount is bound to uint128.
uint256 cliffAmount = FixedPointMathLib.mulDivDown(baseAmount, cliffPercent, 1e18);
This makes the issue invalid.
if (timings.cliffPercent > 1e18) {
revert InvalidCliffPercent();
}
0xean marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2022-11-size/blob/59ab86cffde7ba1d2565e97dd7731412a6394183/src/util/CommonTokenMath.sol#L59-L67
Vulnerability details
Unsafe cast blocks withdraw of tokens
Impact
tokensAvailableAtTime
is a internal function used bytokensAvailableForWithdrawal
and this one being used internally (also externally as it ispublic
) bywithdraw
method.cliffAmount
is auint256
, being able to have much bigger values than auint128
. However, it is used by the return method oftokensAvailableAtTime
with a cast touint128
. If the user has more tokens thantype(uint128).max
, he won't be able to withdraw them as return value would be0
.PoC
Affected code
https://github.com/code-423n4/2022-11-size/blob/59ab86cffde7ba1d2565e97dd7731412a6394183/src/util/CommonTokenMath.sol#L59-L67
Test case used in Remix for casts
Mitigation
Even though Solidity 0.8.x is used, type casts do not throw an error. A SafeCast library must be used everywhere a typecast is done. SafeCast References: https://docs.openzeppelin.com/contracts/4.x/api/utils#SafeCast