search

code-423n4 / 2023-05-juicebox-findings

1 stars 1 forks source link

``_amountReceived()`` converts a negative integer into uint, leading to wrong value. #10

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-juicebox/blob/9a36e5c8d0588f0f262a0cd1c08e34b2184d8f4d/juice-buyback/contracts/JBXBuybackDelegate.sol#L224

Vulnerability details

Impact

Detailed description of the impact of this finding. uniswapV3SwapCallback() retrieves the value of _amountReceived() but with a conversion from a negative integer to uint, leading to wrong value.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

uniswapV3SwapCallback() is a call back function.

https://github.com/code-423n4/2023-05-juicebox/blob/9a36e5c8d0588f0f262a0cd1c08e34b2184d8f4d/juice-buyback/contracts/JBXBuybackDelegate.sol#L224

uniswapV3SwapCallback() retrieves the value of _amountReceived() but with a conversion from a negative integer to uint:

// Assign 0 and 1 accordingly
        uint256 _amountReceived = uint256(-(_projectTokenIsZero ? amount0Delta : amount1Delta));
        uint256 _amountToSend = uint256(_projectTokenIsZero ? amount1Delta : amount0Delta);

As a result, _amountReceived might end up with the wrong value. A negative number will be converted into a large unsigned integer as the following code shows:

function testHello() public
{
    int ok = 56;
    uint256 result = uint(-ok);
    console2.log("Result: %d", result);
}

Tools Used

VSCode

Recommended Mitigation Steps

Maybe eliminate the negative sign.

Assessed type

Math

c4-pre-sort commented 1 year ago

dmvt marked the issue as low quality report

dmvt commented 1 year ago

Fails to show a scenario where this will occur or describe the impact if it does

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Insufficient quality