Potential Underflow in the removeFromPool Function
Summary
The removeFromPool function is a smart contract function designed to remove an amount from the pool balance. However, there is a potential underflow vulnerability in the implementation that could lead to unexpected behavior and loss of funds.
Vulnerability Details
In the removeFromPool function, the potential underflow vulnerability arises from the subtraction of the amount from the poolBalance without sufficient validation. The code responsible for the balance update is as follows:
Here, pools[poolId].poolBalance represents the current balance of the pool, and amount is the value to be removed. If amount is greater than the current poolBalance, the subtraction could result in an underflow. An underflow occurs when the subtraction of amount from poolBalance results in a value lower than zero, causing the value to wrap around to the maximum possible value for the data type (uint256) instead of producing a negative value. This leads to an unintended balance and potential loss of funds.
Impact
The underflow vulnerability can lead to a loss of funds for the pool if an attacker manipulates the amount parameter to be greater than the current poolBalance. It could disrupt the intended functioning of the pool, affecting other participants as well.
Tools Used
Manual
Recommendations
Simple validation check:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.