MorpheusAI

MorpheusAI
Foundry
22,500 USDC
View results
Submission Details
Severity: low
Invalid

Unsafe cast in function `_calculateMaxEndTime`

Summary

The _calculateMaxEndTime function may produce an incorrect maxEndTime due to the unsafe cast from uint256 to uint128, leading to inaccurate results in the getPeriodReward function and affecting user rewards.

Vulnerability Details

The maxEndTime is casted to uint128 without any checks. If the result of payoutStart_ + maxIntervals_ * interval_ exceeds type(uint128).max, it will lead to an incorrect maxEndTime.
For instance, if initialAmount_ = 1e15 ETH, decreaseAmount_ = 1 wei, and interval_ = 3000 Hours, then maxIntervals_ = 1e33 and maxIntervals_ * interval_ = 1.08e40, surpassing type(uint128).max and resulting in a casted smaller value.

function _calculateMaxEndTime(
uint128 payoutStart_,
uint128 interval_,
uint256 initialAmount_,
uint256 decreaseAmount_
) private pure returns (uint128) {
if (decreaseAmount_ == 0) {
return type(uint128).max;
}
uint256 maxIntervals_ = _divideCeil(initialAmount_, decreaseAmount_);
return uint128(payoutStart_ + maxIntervals_ * interval_);
}

The getPeriodReward result is computed based on the maxEndTime, and the casted maxEndTime might result in an incorrect reward value.

function getPeriodReward(
uint256 initialAmount_,
uint256 decreaseAmount_,
uint128 payoutStart_,
uint128 interval_,
uint128 startTime_,
uint128 endTime_
) external pure returns (uint256) {
if (interval_ == 0) {
return 0;
}
// 'startTime_' can't be less than 'payoutStart_'
if (startTime_ < payoutStart_) {
startTime_ = payoutStart_;
}
uint128 maxEndTime_ = _calculateMaxEndTime(payoutStart_, interval_, initialAmount_, decreaseAmount_);
if (endTime_ > maxEndTime_) {
endTime_ = maxEndTime_;
}
[...]
}

Impact

The _calculateMaxEndTime function may produce an incorrect maxEndTime, leading to inaccurate results in the getPeriodReward function and affecting user rewards.

Tools Used

Manual Review

Recommendations

Check the result of maxIntervals_ * interval_, if it's bigger than type(uint128).max, just return the type(uint128).max.

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.