The NominationAgent contract contains several instances of unchecked arithmetic operations. Specifically, the deposit and start_unbond functions perform addition and subtraction on the staked variable without checking for overflow or underflow. This can lead to unexpected behavior and potential loss of funds.
Attack Scenario
An attacker could exploit this vulnerability by causing an overflow or underflow in the staked variable. For example, if the staked value is close to the maximum value of u128, a large deposit could cause an overflow, resulting in an incorrect staked value. Similarly, if the staked value is small, a large unbonding request could cause an underflow.
Attachments
Proof of Concept (PoC) File
#[cfg(test)]
mod tests {
use super::*;
#[ink::test]
fn test_overflow() {
let mut agent = NominationAgent::new(AccountId::default(), AccountId::default(), 1);
agent.staked = u128::MAX;
assert!(agent.deposit().is_err());
}
#[ink::test]
fn test_underflow() {
let mut agent = NominationAgent::new(AccountId::default(), AccountId::default(), 1);
agent.staked = 0;
assert!(agent.start_unbond(1).is_err());
}
}
Use checked arithmetic methods like checked_add and checked_sub to prevent overflow and underflow. This ensures that any arithmetic operation that exceeds the limits of u128 will result in an error, preventing unexpected behavior and potential loss of funds.
Github username: @neuraldevx Twitter username: -- Submission hash (on-chain): 0x1a4ebcf2024f7424bda536fa0fc82169a0ad0793f8bcc96e50e1d79bf5116a0a Severity: high
Description: Description
Attack Scenario
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Recommendation: