Unsafe downcast operations can lead to silent failures #225
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
duplicate-31
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateStore.sol#L688-L696
Vulnerability details
Solidity won't perform automatic checks when downcasting and it's possible for some fields to overflow while adding tiers.
Proof of Concept
JBTiered721DelegateStore.recordAddTiers()
, one item for_tiersToAdd
containsvotingUnits
bigger than the size of uint16, e.g. 65536._storedTierOf
will overflow, e.g. if the input is 65536 the value will be 0.Similar behavior can occur for other fields for a tier.
https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateStore.sol#L688-L696
Impact
Slient overflows will affect tier accouting and can cause unexpected behavior in the protocol.
Recommended Mitigation Steps
Make use of a safe-cast library. E.g. OpenZeppelin's SafeCast.
The text was updated successfully, but these errors were encountered: