Description:Description\
In the EthMultiVault contract, the getCounterIdFromTriple function calculates the ID of a counter vault by subtracting the original vault ID from type(uint256).max. This approach works well for a reasonable number of vaults, but in an extreme scenario where the number of vaults exceeds uint256.max / 2, there's a theoretical risk of data collision between regular vaults and counter vaults.
Attack Scenario\
While highly improbable in practice, the following scenario could theoretically occur:
The contract continues to create new vaults until the vault ID exceeds uint256.max / 2.
At this point, new vault IDs start to overlap with the counter IDs of existing vaults.
This could lead to data corruption or unexpected behavior when interacting with these high-numbered vaults or their counters.
For example:
Vault with ID 2^255 is created.
Its counter vault ID would be 2^256 - 1 - 2^255, which equals 2^255 - 1.
If a new vault is later created with ID 2^255 - 1, it would collide with the counter of the first vault.
contract EthMultiVault {
mapping(uint256 => VaultState) public vaults;
mapping(uint256 => VaultState) public counterVaults;
function getCounterIdFromTriple(uint256 id) public pure returns (uint256) {
require(id <= type(uint256).max / 2, "Invalid vault ID");
return id;
}
function getVaultState(uint256 id, bool isCounter) public view returns (VaultState memory) {
if (isCounter) {
return counterVaults[id];
} else {
return vaults[id];
}
}
// Other functions would need to be updated to use the new structure
}
Github username: -- Twitter username: -- Submission hash (on-chain): 0x45af594e37907786efc19eea5046d4b897518936ba6dc1ee0e011e4b1bfa26dd Severity: medium
Description: Description\ In the EthMultiVault contract, the
getCounterIdFromTriple
function calculates the ID of a counter vault by subtracting the original vault ID fromtype(uint256).max
. This approach works well for a reasonable number of vaults, but in an extreme scenario where the number of vaults exceedsuint256.max / 2
, there's a theoretical risk of data collision between regular vaults and counter vaults.Attack Scenario\ While highly improbable in practice, the following scenario could theoretically occur:
uint256.max / 2
.For example:
2^255
is created.2^256 - 1 - 2^255
, which equals2^255 - 1
.2^255 - 1
, it would collide with the counter of the first vault.Attachments https://github.com/hats-finance/Intuition-0x538dbadc50cc87b281cd655f1edbc6ebda02a66a/blob/b2e422ff0c3e3729e58d2699fdf2ef8699fbd172/src/EthMultiVault.sol#L1354-L1355
Revised Code File (Optional)