Closed c4-bot-8 closed 3 months ago
cryptotechmaker (sponsor) confirmed
dmvt marked the issue as primary issue
dmvt marked the issue as selected for report
dmvt marked the issue as not selected for report
dmvt marked the issue as satisfactory
dmvt marked issue #69 as primary and marked this issue as a duplicate of 69
Lines of code
https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/tokens/TapTokenCodec.sol#L75
Vulnerability details
Description
The function
decodeLockTwpTapDstMsg()
is utilized to decipher an encoded message intended for thelockTwTapPosition()
operation.https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/tokens/TapTokenCodec.sol#L62-L81
The input
_msg
is encoded using theabi.encodePacked()
operation with three parameters:user
of typeaddress
,duration
of typeuint96
, andamount
of typeuint256
. Thus, the value of each parameter can be obtained by extracting the bytes within specific ranges of the_msg
message:user
corresponds to bytes[0, 20)
duration
corresponds to bytes[20, 32)
amount
corresponds to bytes[32, 64)
To achieve this, the function employs the
BytesLib.slice()
function from theBytesLib
library to extract the byte ranges of the_msg
.https://github.com/GNSPS/solidity-bytes-utils/blob/df88556cbbc267b33a787a3a6eaa32fd7247b589/contracts/BytesLib.sol#L228-L232
However, there's an issue when handling the
duration
parameter, which is auint96
variable (96 bits = 12 bytes). The function erroneously usesdurationOffset_ = 32
as the_length
parameter when passing it to theBytesLib.slice()
function. Consequently, when the castingBytesLib.toUint96()
attempts to convert a 32-byte value into a 12-byte value, it triggers a revert.Impact
The function
_lockTwTapPositionReceiver
fails to execute as the transaction reverts.Tools Used
Manual review
Recommended Mitigation Steps
When decoding the value of the variable
duration
in the functionTapTokenC::decodeLockTwpTapDstMsg
, set_length
to 12Assessed type
en/de-code