Open c4-bot-6 opened 9 months ago
0xleastwood marked the issue as primary issue
0xleastwood marked the issue as duplicate of #17
Agree to use uint256ToUint24
. Thanks for pointing out!
0xleastwood marked the issue as satisfactory
0xleastwood changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L523-L527
Vulnerability details
Description
ParticlePositionManager::addPremium
:If a user adds a lot of tokens to have a big premium it is possible that this cast to
uint24
can overflow. If the premium is >16x (type(uint24).max/1_000_000
). These tokens would be lost as the overflow would make the premium portion very low.Although, a 16x premium is a lot hence it is unlikely this will happen.
Impact
Instead of getting a lot of premium a user would lock their tokens in the contract.
Proof of Concept
PoC test in
LiquidatePosition.t.sol
:Tools Used
Manual audit
Recommended Mitigation Steps
Consider reverting if the premium portion is
>type(uint24).max
, similar toBase.uint256ToUint24
.Assessed type
Under/Overflow