hickuphh3

Unsafe casting of user amount from `uint256` to `uint128`

Summary

The unsafe casting of the recovered amount from uint256 to uint128 means the users’ funds will be lost.

Vulnerability Detail

logIncomingERC20() has the recovered amount as type uint256, but amountStored is of type uint128. There is an unsafe casting when incrementing amountStored:

_erc20WithdrawalAllowances[_originalAddress][_erc20Address].amountStored += uint128(_amount);

It is thus possible for the amount recorded to be less than the actual amount recovered.

Impact

Loss of funds.

Proof of Concept

The user's balance is type(uint128).max = 2**128, but the incremented amount will be zero. https://github.com/sherlock-audit/2022-09-harpie-hickuphh3/commit/83f321b95cfbf44514f5b88f98bf1576f5c3dc8c

Recommendation

amountStored should be of type uint256. Alternatively, use OpenZeppelin’s SafeCast library when casting from uint256 to uint128.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

1-report.md

1-report.md

Unsafe casting of user amount from `uint256` to `uint128`

Summary

Vulnerability Detail

Impact

Proof of Concept

Recommendation

Files

1-report.md

Latest commit

History

1-report.md

File metadata and controls

Unsafe casting of user amount from uint256 to uint128

Summary

Vulnerability Detail

Impact

Proof of Concept

Recommendation

Unsafe casting of user amount from `uint256` to `uint128`