Closed c4-bot-4 closed 4 months ago
Picodes marked the issue as primary issue
othernet-global (sponsor) confirmed
Updating reserves on swap now has overflow check.
https://github.com/othernet-global/salty-io/commit/a47139ba7a6fd5ccbbdef68e7ff964f4a411b533 https://github.com/othernet-global/salty-io/commit/f94310e4bf28c5965f10525059a7996564713427
Picodes marked the issue as satisfactory
Picodes marked the issue as selected for report
Shouldn't this either be invalid or downgraded to low taking into account that:
type(uint112).max
(see proposeTokenWhitelisting).@fnanni-0 thanks for flagging. I do agree with your comment, especially concerning the fact that this should be out of scope.
Picodes marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/pools/Pools.sol#L274-L275
Vulnerability details
Impact
There is a potential risk of overflow during the update of liquidity pool reserves in Pools.sol _adjustReservesForSwap(). If the reserve of any token of a liquidity pool after swap is greater than
type(uint128).max
, then the type casting will result in an overflow.The overflow may lead to unexpected and undesired behavior in the protocol, potentially affecting the reserves and
reserve ratio
of tokens in a liquidity pool which can be exploited by malicious actors.The chance of this occuring is minimal but if it ever happens for a token, then the consequences will be disastrous so it's better to be cautious and take proactive measures.
Proof of Concept
The function Pools.sol _adjustReservesForSwap() is called during every swap and arbitrage. It temporarily stores reserves of pool in uint256 variables
reserve0
andreserve1
for calculations.The value of
reserve0
andreserve1
is casted to uint128 to update the final reserves,reserves.reserve0
andreserves.reserve1
, as shown below. As we can see, there exists a mismatch in the variable types.E.g. if
reserve0 > type(uint128).max
, thenreserves.reserve0 = uint128(reserve0)
will result in an overflow.POC: The following test can be executed in Pools.t.sol
Tools Used
Manual review
Recommended Mitigation Steps
Add a check, as shown in the code snippet below, to revert the transaction in case of an overflow.
Assessed type
Under/Overflow