Closed sherlock-admin2 closed 9 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { This is invalid as the timestamp need to reach a whooping 18446744073709551615 to overflow which is a lot of years}
Invalid, this overflow will only occur on Sun Jul 21 2554, which is basically a non issue
0xC
medium
Potential overflow in
TelcoinDistributor
contract'sproposeTransaction
functionSummary
The
TelcoinDistributor
smart contract, as presented, contains a potential vulnerability in the assignment of thetimestamp
variable. The assignment ofblock.timestamp
totimestamp
without proper validation can lead to an overflow ifblock.timestamp
exceeds the maximum value that auint64
can represent.Vulnerability Detail
In the
TelcoinDistributor
contract'sproposeTransaction
function, thetimestamp
variable is assigned the value ofblock.timestamp
without any validation. Thetimestamp
variable is of typeuint64
, which can represent values from 0 to 2^64-1. However, ifblock.timestamp
exceeds this maximum value, an overflow will occur, resulting in an incorrecttimestamp
value.As there is no check to ensure that
block.timestamp
does not exceed the maximum value representable by auint64
, it is possible for an overflow to occur, leading to incorrect timestamps in theProposedTransaction
struct.Impact
The potential overflow in the assignment of the
timestamp
variable can have a significant impact on theTelcoinDistributor
contract. If an overflow occurs, the timestamps recorded for proposed transactions will be incorrect, which can lead to various issues, including challenges being initiated or executed at unexpected times. This can disrupt the intended operation of the contract and compromise its functionality.Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/protocol/core/TelcoinDistributor.sol#L98
Tool used
Manual Review
Recommendation
To mitigate the potential overflow vulnerability, it is recommended to add a validation check to ensure that
block.timestamp
does not exceed the maximum value representable by auint64
before assigning it to thetimestamp
variable or just to useuint256
instead ofuint64
for thetimestamp
variable.Here is the updated code snippet with the recommended validation check:
By implementing this change, the contract will validate that
block.timestamp
does not exceed the maximum value representable by auint64
before recording it as thetimestamp
for proposed transactions, preventing potential overflow issues.