hickuphh3
The unsafe casting of the recovered amount from uint256
to uint128
means the users’ funds will be lost.
logIncomingERC20()
has the recovered amount as type uint256
, but amountStored
is of type uint128
. There is an unsafe casting when incrementing amountStored
:
_erc20WithdrawalAllowances[_originalAddress][_erc20Address].amountStored += uint128(_amount);
It is thus possible for the amount recorded to be less than the actual amount recovered.
Loss of funds.
The user's balance is type(uint128).max = 2**128
, but the incremented amount will be zero.
https://github.com/sherlock-audit/2022-09-harpie-hickuphh3/commit/83f321b95cfbf44514f5b88f98bf1576f5c3dc8c
amountStored
should be of type uint256
. Alternatively, use OpenZeppelin’s SafeCast library when casting from uint256
to uint128
.