search

code-423n4 / 2023-01-reserve-findings

0 stars 1 forks source link

SWC-101 Integer Overflow and Underflow #22

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/reserve-protocol/protocol/blob/df7ecadc2bae74244ace5e8b39e94bc992903158/contracts/libraries/Fixed.sol#L504-L518

Vulnerability details

Impact

An overflow/underflow happens when an arithmetic operation reaches the maximum or minimum size of a type. For instance if a number is stored in the uint8 type, it means that the number is stored in a 8 bits unsigned number ranging from 0 to 2^8-1. In computer programming, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of bits – either larger than the maximum or lower than the minimum representable value.

Proof of Concept

PoC

        if (mm > lo) hi -= 1;
        lo -= mm;
        uint256 pow2 = z & (0 - z);
        z /= pow2;
        lo /= pow2;
        lo += hi * ((0 - pow2) / pow2 + 1);
        uint256 r = 1;
        r *= 2 - z * r;
        r *= 2 - z * r;
        r *= 2 - z * r;
        r *= 2 - z * r;
        r *= 2 - z * r;
        r *= 2 - z * r;
        r *= 2 - z * r;
        r *= 2 - z * r;

Tools Used

Remix IDE

Recommended Mitigation Steps

// import safemath.sol and use it to create custom function to apply instead.
balance = add(balance, deposit);
        if (mm > lo) hi = sub(hi, 1);
        lo = sub(lo, mm);
        uint256 pow2 = z & (0 - z);
        z = div(z, pow2);
        lo = div(lo, pow2);
        lo += hi * ((0 - pow2) / pow2 + 1);
        uint256 r = 1;
        r = mul(r, 2) - z * r;
        r = mul(r, 2) - z * r;
        r = mul(r, 2) - z * r;
        r = mul(r, 2) - z * r;
        r = mul(r, 2) - z * r;
        r = mul(r, 2) - z * r;
        r = mul(r, 2) - z * r;
        r = mul(r, 2) - z * r;
c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Insufficient quality