search

hats-finance / Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4

Other
1 stars 2 forks source link

Downcasting uint or int may result in overflow #28

Open hats-bug-reporter[bot] opened 6 months ago

hats-bug-reporter[bot] commented 6 months ago

Github username: @saidqayoumsadat Twitter username: saqsadat143 Submission hash (on-chain): 0xaf4ba2b93b17a9380e59287d523af2f7685a24f87bf3d187cf1cd24da29abcf4 Severity: low

Description: Description\ Consider using OpenZeppelin's SafeCast library to prevent unexpected overflows.

  1. Proof of Concept (PoC) File
file: /src/CatalystChainInterface.sol

370         uint32(block.number),
371            uint16(calldata_.length),

https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystChainInterface.sol#L370C1-L371C38

file: /src/CatalystChainInterface.sol#L396C1-L399C93

396                uint256(bytes32(data[ UNITS_START : UNITS_END ])),                          // units
                uint256(bytes32(data[ CTX0_FROM_AMOUNT_START : CTX0_FROM_AMOUNT_END ])),    // fromAmount
                address(bytes20(data[ CTX0_FROM_ASSET_START_EVM : CTX0_FROM_ASSET_END ])),  // fromAsset
                uint32(bytes4(data[ CTX0_BLOCK_NUMBER_START : CTX0_BLOCK_NUMBER_END ]))     // blo

https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystChainInterface.sol#L396C1-L399C93

file: /src/CatalystVaultAmplified.sol

339                            int256((weightAssetBalance - _underwriteEscrowMatchBalance0[token] * weight) * FixedPointMathLib.WAD),  // If casting overflows to a negative number, powWad fails

347                            int256(weightAssetBalance * FixedPointMathLib.WAD),  // If casting overflows to a negative number, powWad fails

https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultAmplified.sol#L339C1-L339C191

file: /src/CatalystVaultVolatile.sol

885        uint256 U = uint256(FixedPointMathLib.lnWad(  // uint256: ln computed of a value greater than 1 is always positive
886            int256(FixedPointMathLib.divWadDown(initialTotalSupply, initialTotalSupply - vaultTokens))

https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultVolatile.sol#L885C1-L886C104

reednaa commented 6 months ago

You are aware that you are wasting gas submitting these issues?

Please see code comments. Do you disagree?