search

code-423n4 / 2022-12-tigris-findings

8 stars 4 forks source link

Token decimals may be above 18 leading to underflow issues #651

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L49 https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L67 https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Trading.sol#L650 https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Trading.sol#L675

Vulnerability details

Impact

In both StableVault and Trading, there is an assumption that token decimal amounts are <=18. However this can break if token decimals are >18, resulting in underflow which can lead to unpredictable behaviors, and extreme amounts during deposits and withdraws.

Proof of Concept

1) Token with decimals above 18 gets approved 2) User does a deposit() or withdraw() in one of the following: -StableVault deposit(): https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L49 -StableVault withdraw(): https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L67 -Trading _handleDeposit(): https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Trading.sol#L650

Tools Used

None

Recommended Mitigation Steps

Add checks on the decimals either during whitelisting of tokens or add reverts in the functions handling deposits and withdrawals.

GalloDaSballo commented 1 year ago

The comment is misguided, having more than 18 decimals will cause reverts.

Because of that comment, I must close as invalid as the submission doesn't meet the basic standard of the submitted understanding what they are talking about or at least running the code

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Insufficient quality