First Flight #9: Soulmate
First Flight #9
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Potential Security Risks in `Staking.sol` Contract which can lead to Unexpected Behavior and Loss of Funds

LogeshN

Summary :

The smart contract Staking.sol contains two vulnerabilities related to integer overflow/underflow. The first vulnerability is at line 54, where the userStakes mapping is updated by adding the amount to the existing value. The second vulnerability is at line 63, where the userStakes mapping is updated by subtracting the amount from the existing value.

Vulnerability Details :

The vulnerabilities in the smart contract Staking.sol are related to integer overflow/underflow.

Integer Overflow (Line 54) :

The userStakes mapping is updated by adding the amount to the existing value. This operation can potentially cause an integer overflow if the resulting value exceeds the maximum value that can be stored in the uint256 data type.

Vulnerable Code
function deposit(uint256 amount) public {
if (loveToken.balanceOf(address(stakingVault)) == 0)
revert Staking__NoMoreRewards();
// No require needed because of overflow protection
@> userStakes[msg.sender] += amount;
loveToken.transferFrom(msg.sender, address(this), amount);
emit Deposited(msg.sender, amount);
}

Integer Underflow (Line 63) :

The userStakes mapping is updated by subtracting the amount from the existing value. This operation can potentially cause an integer underflow if the amount is greater than the existing value.

Vulnerable Code
function withdraw(uint256 amount) public {
// No require needed because of overflow protection
@> userStakes[msg.sender] -= amount;
loveToken.transfer(msg.sender, amount);
emit Withdrew(msg.sender, amount);
}
## Impact :

Integer overflow/underflow vulnerabilities can lead to unexpected behavior and may allow an attacker to manipulate the contract's state. This can potentially result in loss of funds or disruption of the intended functionality of the contract.

Proof of Concept :

To demonstrate the potential vulnerabilities, consider the following scenario:

  1. Assume that the userStakes mapping for a specific user has a value of 1000.

  2. The user calls the deposit function and provides an amount of 2000.

  3. The userStakes mapping is updated by adding the amount to the existing value, resulting in an overflow.

  4. The userStakes mapping now has a value of 3000 (1000 + 2000), which is incorrect and may lead to unexpected behavior.

Also an attacker could exploit this vulnerability by withdrawing a large amount of tokens, causing an integer overflow/underflow and potentially stealing tokens from other users or causing the contract to behave unexpectedly.

// Malicious contract to exploit integer overflow/underflow vulnerability in Staking contract
pragma solidity ^0.8.23;
import "./Staking.sol";
contract MaliciousStaking {
Staking public stakingContract;
constructor(Staking _stakingContract) {
stakingContract = _stakingContract;
}
function attack() public {
// Deposit some tokens to stake
stakingContract.deposit(2000);
// Withdraw more tokens than the user has staked, causing an integer underflow
stakingContract.withdraw(6000);
}
}

Recommended Mitigation Steps :

To mitigate the integer overflow/underflow vulnerabilities in the provided code, you can follow these steps:

  1. Validate input: Implement input validation to ensure that the values provided by users are within the expected range. Check if the input values exceed the maximum or minimum limits defined for the variables.

require(amount > 0, "Amount must be greater than zero");

  1. Perform range checks: Before performing arithmetic operations, check if the values involved are within the valid range. Implement conditional statements or assertions to verify that the result of an operation will not cause an overflow or underflow.

require(userStakes[msg.sender] + amount >= userStakes[msg.sender], "Integer overflow detected");
require(userStakes[msg.sender] - amount <= userStakes[msg.sender], "Integer underflow detected");

  1. Use safe math libraries: To mitigate the integer overflow/underflow vulnerabilities, the following steps are recommended:

  • Implement input validation to ensure that the amount is within a reasonable range before performing the addition or subtraction operations.

    • Check if the addition of amount to userStakes[msg.sender] will cause an overflow.

    • Check if the subtraction of amount from userStakes[msg.sender] will cause an underflow.

  • Use the SafeMath library to perform arithmetic operations on the userStakes mapping.

    • The SafeMath library provides functions that prevent integer overflow/underflow by checking the result of arithmetic operations.

    • Import the SafeMath library and use its add and sub functions to perform addition and subtraction operations on userStakes[msg.sender].

Here's an example of how the code can be modified to mitigate the vulnerabilities:

import {SafeMath} from "./SafeMath.sol";
contract Staking {
using SafeMath for uint256;
// ...
function deposit(uint256 amount) public {
if (loveToken.balanceOf(address(stakingVault)) == 0)
revert Staking__NoMoreRewards();
// No require needed because of overflow protection
- userStakes[msg.sender] += amount;
+ userStakes[msg.sender] = userStakes[msg.sender].add(amount);
loveToken.transferFrom(msg.sender, address(this), amount);
emit Deposited(msg.sender, amount);
}
function withdraw(uint256 amount) public {
// No require needed because of overflow protection
- userStakes[msg.sender] -= amount;
+ userStakes[msg.sender] = userStakes[msg.sender].sub(amount);
loveToken.transfer(msg.sender, amount);
emit Withdrew(msg.sender, amount);
}
// ...
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.