stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: low
Invalid

Potential Integer Overflow in `_createLock` and `_updateLock` Functions in SDLPool

Summary

Description: Both _createLock and _updateLock functions in the SDLPool.sol contract lack proper checks for potential integer overflow when calculating the boost amounts. This could lead to unexpected behavior or vulnerabilities if the boost calculation exceeds the maximum representable value for a uint256.

Vulnerability Details

Code from SDLPool.sol

// In SDLPool.sol
function _createLock(uint256 _amount, uint64 _lockingDuration) internal view returns (Lock memory) {
// Potential integer overflow if boostController.getBoostAmount() exceeds uint256 max
uint256 boostAmount = boostController.getBoostAmount(_amount, _lockingDuration);
// ...
}
function _updateLock(Lock memory _lock, uint256 _amount, uint64 _lockingDuration) internal view returns (Lock memory) {
// Potential integer overflow if boostController.getBoostAmount() exceeds uint256 max
uint256 boostAmount = boostController.getBoostAmount(_lock.amount + _amount, _lockingDuration);
// ...
}

Impact

  1. Integer Overflow Risk:
    The lack of proper checks for potential integer overflow in the boost calculation may lead to unexpected results or vulnerabilities if the boost amount exceeds the maximum representable value for a uint256. This could potentially allow an attacker to manipulate boost amounts and exploit vulnerabilities in the system.

Tools Used

Manual Code Review

Recommendations

Implement proper checks to prevent potential integer overflow in boost calculations. Consider using safe math libraries, such as OpenZeppelin's SafeMath, to perform arithmetic operations safely. Ensure that the boost calculation is within the valid range of a uint256 to avoid unexpected behavior and mitigate the risk of integer overflow vulnerabilities.

Mitigation Steps

// In SDLPool.sol
function _createLock(uint256 _amount, uint64 _lockingDuration) internal view returns (Lock memory) {
// Check for potential integer overflow before boost calculation
require(_amount <= type(uint256).max - boostController.getBoostAmount(_amount, _lockingDuration), "Integer overflow");
uint256 boostAmount = boostController.getBoostAmount(_amount, _lockingDuration);
// ...
}
function _updateLock(Lock memory _lock, uint256 _amount, uint64 _lockingDuration) internal view returns (Lock memory) {
// Check for potential integer overflow before boost calculation
require(_lock.amount + _amount <= type(uint256).max - boostController.getBoostAmount(_lock.amount + _amount, _lockingDuration), "Integer overflow");
uint256 boostAmount = boostController.getBoostAmount(_lock.amount + _amount, _lockingDuration);
// ...
}
Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.