Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

_updateTwav() and _getTwav() will revert when cumulativePrice overflows #246

Open
code423n4 opened this issue Jun 24, 2022 · 1 comment
Open

_updateTwav() and _getTwav() will revert when cumulativePrice overflows #246

code423n4 opened this issue Jun 24, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/Twav/Twav.sol#L28
https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/Twav/Twav.sol#L40

Vulnerability details

Impact

Contract will break when cumulativeValuation overflows.

PoC

Cumulative prices are designed to work with overflows/underflows because in the end the difference is important.

In _updateTwav() when _prevCumulativeValuation + (_valuation *_timeElapsed) overflows the contract will not work anymore.

twavObservations[twavObservationsIndex] = TwavObservation(_blockTimestamp, _prevCumulativeValuation + (_valuation * _timeElapsed)); //add the previous observation to make it cumulative @audit overflow breaks the contract

Same problem in _getTwav()

  _twav = (_twavObservationCurrent.cumulativeValuation - _twavObservationPrev.cumulativeValuation) / (_twavObservationCurrent.timestamp - _twavObservationPrev.timestamp);@audit same overflow breaks the contract

}

Similar issues

code-423n4/2022-04-phuture-findings#62

Recommended

Add unchecked keyword in every line you add / subtract cumulative prices.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jun 24, 2022
code423n4 added a commit that referenced this issue Jun 24, 2022
@code423n4
peritoflores issue #246
dbd3f68
@mundhrakeshav mundhrakeshav added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Jun 26, 2022
@HardlyDifficult
Copy link
Collaborator

HardlyDifficult commented Jul 2, 2022
edited

Without a better POC of the issue occurring it's hard to justify this is High risk. e.g. maybe it could be forced by spamming updateTWAV, but it's not clear if that would require extremely large values or an unrealistic number of transactions.

Related to #178, that one includes unchecking the price in the recommendation but the rest of the description focuses on timestamp overflows while this one looks at price overflows.

@HardlyDifficult HardlyDifficult added duplicate This issue or pull request already exists 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed 3 (High Risk) Assets can be stolen/lost/compromised directly duplicate This issue or pull request already exists labels Jul 2, 2022
@HardlyDifficult HardlyDifficult mentioned this issue Jul 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@HardlyDifficult @mundhrakeshav @code423n4