underflow in Lock.release()
can lock up funds
#253
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-23
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Lock.sol#L73
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Lock.sol#L84-L92
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Lock.sol#L103
Vulnerability details
Impact
An underflow in
Lock.release()
can prevent a lock from being released. That means funds are locked up.This issue directly affects user funds and doesn't depend on any external requirements. Someone just has to extend their lock and add some funds to it for this be an issue somewhere down the road.
Proof of Concept
When an existing lock is extended, the new amount of assets added to the lock is not included in the
totalLocked
state variable. When the user tries to release their lock,lockAmount
is bigger thantotalLocked[asset]
causing an underflow:Here's a test showcasing the issue:
In most cases, this will only affect the very last user to release their lock. But, a whale who holds a majority of the tokens could encounter the same issue as well. It depends on the way to lock was set up.
To unlock these funds, someone else has to create a lock to increase the
totalLocked
value. There's no way to get all the tokens out. Some amount will always be lost.Tools Used
none
Recommended Mitigation Steps
In
extendLock()
add the new locked funds tototalLocked
.The text was updated successfully, but these errors were encountered: