Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsafe downcast operations can lead to silent failures #225

Closed
code423n4 opened this issue Oct 23, 2022 · 3 comments
Closed

Unsafe downcast operations can lead to silent failures #225

code423n4 opened this issue Oct 23, 2022 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate-31 satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateStore.sol#L688-L696

Vulnerability details

Solidity won't perform automatic checks when downcasting and it's possible for some fields to overflow while adding tiers.

Proof of Concept

  • Assume that in JBTiered721DelegateStore.recordAddTiers(), one item for _tiersToAdd contains votingUnits bigger than the size of uint16, e.g. 65536.
  • The data stored in _storedTierOf will overflow, e.g. if the input is 65536 the value will be 0.

Similar behavior can occur for other fields for a tier.

https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateStore.sol#L688-L696

Impact

Slient overflows will affect tier accouting and can cause unexpected behavior in the protocol.

Recommended Mitigation Steps

Make use of a safe-cast library. E.g. OpenZeppelin's SafeCast.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 23, 2022
code423n4 added a commit that referenced this issue Oct 23, 2022
@code423n4
brgltd issue #225
48b3090
@drgorillamd drgorillamd added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Oct 24, 2022
@drgorillamd
Copy link

Nice finding, disagree with severity (another tier can be added to fix it/no function/availability of the protocol impacted)

@drgorillamd drgorillamd mentioned this issue Oct 24, 2022
Open
@c4-judge
Copy link
Contributor

c4-judge commented Nov 8, 2022

Picodes marked the issue as duplicate

@c4-judge c4-judge closed this as completed Nov 8, 2022
@c4-judge
Copy link
Contributor

c4-judge commented Dec 3, 2022

Picodes marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Dec 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate-31 satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@code423n4 @drgorillamd @c4-judge