howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-07-optimism/blob/main/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L738

Vulnerability details

There are a few underflows that are converted via a typecast afterwards to the expected value. If solidity 0.8.x would be used, then the code would revert.
int256(a-b) where a and b are uint: For example, if a=1 and b=2, then the intermediate result would be uint(-1) == 2**256-1 int256(-x) where x is a uint. For example, if x=1, then the intermediate result would be uint(-1) == 2**256-1

From FaultDisputeGame.sol L738:

function getRequiredBond(Position _position) public view returns (uint256 requiredBond_) {

uint256 lnA = uint256(FixedPointMathLib.lnWad(int256(a * FixedPointMathLib.WAD))); // underflow in intermediate result

...

int256 rawGas = FixedPointMathLib.powWad(base, int256(depth * FixedPointMathLib.WAD)); // underflow in intermediate result
...
}

Tools Used

Vscode

Recommended Mitigation Steps

Recommend replacing int256(a-b) with int256(a)-int256(b), and replacing int256(-x) with -int256(x)

Assessed type

Under/Overflow

zobront commented 4 months ago

This seems incorrect, as the int is passed to lnWad which returns a positive value. Will ask sponsor to confirm.

Inphi commented 4 months ago

Agree that this is incorrect. There aren't any negative values produced in getRequiredBond.

c4-judge commented 4 months ago

zobront marked the issue as unsatisfactory: Invalid

code-423n4 / 2024-07-optimism-findings

Implicit underflows can revert it #84

Lines of code

Vulnerability details

Tools Used

Recommended Mitigation Steps

Assessed type