search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

web3_r - _getMaxAge() can underflow or overflow #67

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

web3_r

medium

_getMaxAge() can underflow or overflow

Summary

The provided function _getMaxAge() calculates the time difference between the current block's timestamp and a given timestamp _executableAtTime. The result is then cast to uint32. There is potential vulnerability in the cast from uint64 to uint32.

Vulnerability Detail

Overflow: If the time difference is too large, it may exceed the maximum value representable by uint32 (which is 2^32 - 1). In such cases, the result will overflow, and you'll get an unexpected and likely incorrect value.

Impact

This can affect the calculation for stableCollateralPerShare() in both deposit and withdraw. there by causing user to fewer LPs on deposit or more amountOut on withdraw

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/StableModule.sol#L252

Tool used

Manual Review

Recommendation

To handle this, you may want to check whether the time difference is within the representable range of uint32 before performing the cast, and handle overflow scenarios appropriately.

function _getMaxAge(uint64 _executableAtTime) internal view returns (uint32 _maxAge) { uint256 timeDifference = block.timestamp - _executableAtTime; require(timeDifference <= type(uint32).max, "Time difference exceeds uint32 range"); return uint32(timeDifference); }

sherlock-admin commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid: POC ?

nevillehuang commented 8 months ago

Invalid, it would be unrealistic for this to overflow given it is not possible for max age of a price to reach this kind of levels (2**32 - 1)