Lack of Validation will Cause Incorrect Logic Execution
Summary
The issue arises when the packDelta function on LinearRangeCurve.sol allows packing of invalid time values where the start is greater than the end, resulting in a nonsensical time curve. This leads to incorrect unpacking and, consequently, logic breakdowns in calculations involving time intervals. A lack of validation during packing also allows corrupted values to pass through, causing further problems when unpacking the data for use.
Root Cause
The root cause of the issue is the absence of input validation in the packDelta function, which allows incorrect values, such as a start timestamp greater than the end timestamp, to be packed and subsequently cause logic errors when used in other calculations.
Internal pre-conditions
The packDelta function does not enforce that start must be less than end.
Values are packed without validation, meaning any input values are accepted.
External pre-conditions
The system relies on correctly ordered timestamps for time curve calculations.
No external validation ensures that the caller provides valid start and end timestamps.
Attack Path
A malicious actor or faulty input provides a start timestamp that is greater than the end timestamp to the packDelta function.
The packed delta is used in calculations that expect start < end, leading to invalid results.
When the delta is unpacked, the logic breaks down, potentially leading to incorrect or exploitable behaviors.
Impact
• Time-related calculations, such as price adjustments based on a curve, can be incorrect or break entirely, leading to unintended negative values, incorrect pricing, or even exploits where negative values are used in critical operations.
• In this specific case, when the function unpacks a delta with a higher start than end, it may result in a negative inputValue, allowing the purchase of items with negative costs.
PoC
Call packDelta with a start timestamp greater than the end timestamp:
uint128 delta = packDelta(2000000000, 1000000000); // start > end
Unpack this delta and see the mismatched start_ and end_ values:
(uint32 start_, uint32 end_) = unpackDelta(delta);
// start_ will be 2000000000, and end_ will be 1000000000 (nonsensical time curve).
Use the unpacked values in a calculation that expects start < end, leading to logic errors:
uint256 inputValue = numItems * (spotPrice * (end_ - block.timestamp) / (end_ - start_));
// This calculation could result in a negative inputValue due to start_ > end_.
Mitigation
To mitigate this issue, the smart contract can add a validation check within the packDelta function to ensure that the start timestamp is less than the end timestamp before packing the values. If the condition is not met, the function should revert the transaction, preventing the packing of invalid time ranges.
In the packDelta function, add the following validation:
function packDelta(uint32 start, uint32 end) public pure returns (uint128) {
require(start < end, "Invalid input: start must be less than end");
return uint128(start) << 96 | uint128(end) << 64;
}
This ensures that invalid inputs are caught early, preventing them from affecting downstream logic or leading to negative values in calculations.
Raspy Bubblegum Sawfish
Low/Info
Lack of Validation will Cause Incorrect Logic Execution
Summary
The issue arises when the packDelta function on
LinearRangeCurve.solallows packing of invalid time values where the start is greater than the end, resulting in a nonsensical time curve. This leads to incorrect unpacking and, consequently, logic breakdowns in calculations involving time intervals. A lack of validation during packing also allows corrupted values to pass through, causing further problems when unpacking the data for use.Root Cause
The root cause of the issue is the absence of input validation in the packDelta function, which allows incorrect values, such as a start timestamp greater than the end timestamp, to be packed and subsequently cause logic errors when used in other calculations.
Internal pre-conditions
External pre-conditions
Attack Path
Impact
• Time-related calculations, such as price adjustments based on a curve, can be incorrect or break entirely, leading to unintended negative values, incorrect pricing, or even exploits where negative values are used in critical operations. • In this specific case, when the function unpacks a delta with a higher start than end, it may result in a negative inputValue, allowing the purchase of items with negative costs.
PoC
Call
packDeltawith astarttimestamp greater than theendtimestamp:Unpack this delta and see the mismatched
start_andend_values:Use the unpacked values in a calculation that expects
start < end, leading to logic errors:Mitigation
To mitigate this issue, the smart contract can add a validation check within the
packDeltafunction to ensure that thestarttimestamp is less than theendtimestamp before packing the values. If the condition is not met, the function should revert the transaction, preventing the packing of invalid time ranges.In the
packDeltafunction, add the following validation:This ensures that invalid inputs are caught early, preventing them from affecting downstream logic or leading to negative values in calculations.