LockedBalance
library should drop parameters to 96/32 bits
#44
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-02-foundation/blob/4d8c8931baffae31c7506872bf1100e1598f2754/contracts/libraries/LockedBalance.sol#L56
Vulnerability details
Impact
The
LockedBalance
contract takes 256-bit amount values but performs bit math on them as if they were 96 bit values.Bits could spill over to a different locked balance in the
else
part (lockedBalance
stores two 128-bit locked balances in one 256-bit storage field):It could then increase the other, unrelated locked balance's amount leading to stealing funds from the protocol.
All callers of this function currently seem to ensure that
totalAmount
is indeed less than 96 bits but theLockedBalance
library should be self-contained and not depend on the calling side to perform all checks.If the code is ever extended and more calls to these functions are performed, it'll likely cause issues.
Recommended Mitigation Steps
Make sure that there are only 96/32 bits set in
totalAmount
andexpiration
by dropping them to their respective types.The text was updated successfully, but these errors were encountered: