An overflow/underflow happens when an arithmetic operation reaches the maximum or minimum size of a type. For instance if a number is stored in the uint8 type, it means that the number is stored in a 8 bits unsigned number ranging from 0 to 2^8-1. In computer programming, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of bits – either larger than the maximum or lower than the minimum representable value.
Proof of Concept
PoC
if (mm > lo) hi -= 1;
lo -= mm;
uint256 pow2 = z & (0 - z);
z /= pow2;
lo /= pow2;
lo += hi * ((0 - pow2) / pow2 + 1);
uint256 r = 1;
r *= 2 - z * r;
r *= 2 - z * r;
r *= 2 - z * r;
r *= 2 - z * r;
r *= 2 - z * r;
r *= 2 - z * r;
r *= 2 - z * r;
r *= 2 - z * r;
Tools Used
Remix IDE
Recommended Mitigation Steps
// import safemath.sol and use it to create custom function to apply instead.
balance = add(balance, deposit);
if (mm > lo) hi = sub(hi, 1);
lo = sub(lo, mm);
uint256 pow2 = z & (0 - z);
z = div(z, pow2);
lo = div(lo, pow2);
lo += hi * ((0 - pow2) / pow2 + 1);
uint256 r = 1;
r = mul(r, 2) - z * r;
r = mul(r, 2) - z * r;
r = mul(r, 2) - z * r;
r = mul(r, 2) - z * r;
r = mul(r, 2) - z * r;
r = mul(r, 2) - z * r;
r = mul(r, 2) - z * r;
r = mul(r, 2) - z * r;
Lines of code
https://github.com/reserve-protocol/protocol/blob/df7ecadc2bae74244ace5e8b39e94bc992903158/contracts/libraries/Fixed.sol#L504-L518
Vulnerability details
Impact
Proof of Concept
PoC
Tools Used
Recommended Mitigation Steps