Submission Details
Severity:
Unsafe downcast
Summary
When a type is downcast to a smaller type, the higher order bits are truncated, effectively applying a modulo to the original value. Without any other checks, this wrapping will lead to unexpected behavior and bugs.
Vulnerability Details
There are 4 instances of this issue.
View 6 Instances
File: contracts/facets/OwnerFacet.sol
/// @audit uint256 s.assets.length -> uint8
55: Asset.assetId = uint8(s.assets.length);
/// @audit uint256 vault -> uint8
281: s.bridge[bridge].vault = uint8(vault);
| File Link | Instance Count | Instance Links |
|---|---|---|
| OwnerFacet.sol | 2 | 55,281 |
File: contracts/libraries/LibOracle.sol
/// @audit uint256 oraclePrice -> uint80
136: s.bids[asset][Constants.HEAD].ercAmount = uint80(oraclePrice);
149: return uint80(s.bids[asset][Constants.HEAD].ercAmount);
| File Link | Instance Count | Instance Links |
|---|---|---|
| LibOracle.sol | 2 | 136,149 |
Impact
Unexpected behavior upon value truncation.
Tools Used
baudit: a custom static code analysis tool; manual review
Recommendations
Use OpenZeppelin's SafeCast so that transactions revert when such an operation overflows. Using this library instead of the unchecked operations eliminates an entire class of bugs, so it is recommended to always use it.
Prize pool breakdown
Total prize
55,000 USDC
nSLOC
3,36516 USDC / LOC
50,000 USDC
5,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.