search

sherlock-audit / 2024-05-beefy-cowcentrated-liquidity-manager-judging

5 stars 5 forks source link

peyodp - Unsafe casting of the `_liquidty` parameter in `TickUtils::quoteAddLiquidity` in TickUtils.sol #12

Closed sherlock-admin3 closed 5 months ago

sherlock-admin3 commented 5 months ago

peyodp

high

Unsafe casting of the _liquidty parameter in TickUtils::quoteAddLiquidity in TickUtils.sol

Summary

Unsafe casting of _liquidity in TickUtils::quoteAddLiquidity in contracts/utils/TickUtils.sol

Vulnerability Detail

The input parameter for _liquidity in TickUtils::quoteAddLiquidity is defined as an uint256. Within the body of the function, when calling the getAmountsForLiquidity function, the _liquidity parameter is passed as an input parameter while it is being cast to an uint128.

Impact

Casting an uint256 variable to an uint128 represents downcasting which can be unsafe and lead to potential data loss. Downcasting can trigger unintended behaviour since the provided uint256 value may exceed the range of the target type, i.e., uint128. That could result in truncation and loss of digits.

Code Snippet

function quoteAddLiquidity(int24 _currentTick, int24 _lowerTick, int24 _upperTick, uint256 _amt0, uint256 _amt1) internal pure returns(uint256 _actualAmount0, uint256 _actualAmount1, uint256 _liquidity) {
        // Grab the amount of liquidity for our token balances
        _liquidity = LiquidityAmounts.getLiquidityForAmounts(
                _currentTick.getSqrtRatioAtTick(),
                _lowerTick.getSqrtRatioAtTick(),
                _upperTick.getSqrtRatioAtTick(),
                _amt0,
                _amt1
        );

        ( _actualAmount0,  _actualAmount1) = LiquidityAmounts.getAmountsForLiquidity(
                _currentTick.getSqrtRatioAtTick(),
                _lowerTick.getSqrtRatioAtTick(),
                _upperTick.getSqrtRatioAtTick(),
                uint128(_liquidity)
        );
    }

Link to LoC: https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/utils/TickUtils.sol#L44

Tool used

Manual Review

Recommendation

OpenZeppelin's SafeCast library can be used to safely downcast integers.

sherlock-admin4 commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

z3s commented:

31