MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Unsafe cast in function `_calculateMaxEndTime`

Krace

Summary

The _calculateMaxEndTime function may produce an incorrect maxEndTime due to the unsafe cast from uint256 to uint128, leading to inaccurate results in the getPeriodReward function and affecting user rewards.

Vulnerability Details

The maxEndTime is casted to uint128 without any checks. If the result of payoutStart_ + maxIntervals_ * interval_ exceeds type(uint128).max, it will lead to an incorrect maxEndTime.
For instance, if initialAmount_ = 1e15 ETH, decreaseAmount_ = 1 wei, and interval_ = 3000 Hours, then maxIntervals_ = 1e33 and maxIntervals_ * interval_ = 1.08e40, surpassing type(uint128).max and resulting in a casted smaller value.

function _calculateMaxEndTime(

uint128 payoutStart_,

uint128 interval_,

uint256 initialAmount_,

uint256 decreaseAmount_

) private pure returns (uint128) {

if (decreaseAmount_ == 0) {

return type(uint128).max;

}

uint256 maxIntervals_ = _divideCeil(initialAmount_, decreaseAmount_);

return uint128(payoutStart_ + maxIntervals_ * interval_);

}

The getPeriodReward result is computed based on the maxEndTime, and the casted maxEndTime might result in an incorrect reward value.

function getPeriodReward(

uint256 initialAmount_,

uint256 decreaseAmount_,

uint128 payoutStart_,

uint128 interval_,

uint128 startTime_,

uint128 endTime_

) external pure returns (uint256) {

if (interval_ == 0) {

return 0;

}

// 'startTime_' can't be less than 'payoutStart_'

if (startTime_ < payoutStart_) {

startTime_ = payoutStart_;

}

uint128 maxEndTime_ = _calculateMaxEndTime(payoutStart_, interval_, initialAmount_, decreaseAmount_);

if (endTime_ > maxEndTime_) {

endTime_ = maxEndTime_;

}

[...]

}

Impact

The _calculateMaxEndTime function may produce an incorrect maxEndTime, leading to inaccurate results in the getPeriodReward function and affecting user rewards.

Tools Used

Manual Review

Recommendations

Check the result of maxIntervals_ * interval_, if it's bigger than type(uint128).max, just return the type(uint128).max.

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.