False positive SWC-101

[area]

With the following contract

pragma solidity 0.5.8;

contract Resolver {
  function f(string memory sig) public pure returns(bytes4) {
    return bytes4(keccak256(abi.encodePacked(sig)));
  }
}

running yarn truffle run verify --mode quick ./contracts/Resolver.sol I get the report:

5:33  error    The binary addition can overflow                                                                                                                      SWC-101
   8:81  error    integer overflow                                                                                                                                      SWC-101

replacing sig with a uint (rather than string) causes the error to disappear. This is minimum working example from a larger contract, where the line numbers were very wrong in the report (referring to a comment block at the start of the file with licensing information).

EDIT: Example report UUID: 9ca79e99-d5d6-4ffc-8268-3c01a0307857

[nbanmp]

Thanks for reporting the issue and for finding a minimal working example. That's very helpful.

We are looking into the false positive.

[nbanmp]

Here is an even simpler example:

pragma solidity 0.5.11;

contract Resolver {
    function f(string memory sig) public payable {
        abi.encodePacked(sig);
    }
}

It looks like there is a real integer overflow occurring here, but it is generated by the compiler.

We will decide whether or not we want to hide those overflows in the response, as they are unfixable by the user.