TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Integer Overflow in `lastRewardNotificationTimestamp`

0xdoko

Summary

The TempleGoldStaking smart contract contains a potential vulnerability where the lastRewardNotificationTimestamp is assigned the value of block.timestamp cast to a uint32 data type. This could lead to an integer overflow after approximately 80 years, causing unexpected behavior in the contract.

Vulnerability Details

In the distributeRewards function, the contract assigns the current block timestamp to lastRewardNotificationTimestamp by casting it to uint32:

lastRewardNotificationTimestamp = uint32(block.timestamp);

Since block.timestamp returns a uint256, and uint32 can only hold values up to 2^32 - 1 (approximately 4.29 billion seconds, or around 136 years), this assignment will result in an overflow once the blockchain's timestamp exceeds the maximum value a uint32 can hold.

Code Location

function distributeRewards() updateReward(address(0), 0) external {

if (distributionStarter != address(0) && msg.sender != distributionStarter)

{ revert CommonEventsAndErrors.InvalidAccess(); }

if (totalSupply == 0) { revert NoStaker(); }

// Mint and distribute TGLD if no cooldown set

if (lastRewardNotificationTimestamp + rewardDistributionCoolDown > block.timestamp)

{ revert CannotDistribute(); }

_distributeGold();

uint256 rewardAmount = nextRewardAmount;

// revert if next reward is 0 or less than reward duration (final dust amounts)

if (rewardAmount < rewardDuration ) { revert CommonEventsAndErrors.ExpectedNonZero(); }

nextRewardAmount = 0;

_notifyReward(rewardAmount);

lastRewardNotificationTimestamp = uint32(block.timestamp); // Potential Overflow

}

Impact

The integer overflow could cause the lastRewardNotificationTimestamp to reset to 0 after the overflow point, leading to potential issues such as:

Incorrect cooldown calculations for reward distribution, allowing or preventing distributions at incorrect times.
Possible exploitation by malicious actors who could manipulate reward distributions if they understand the overflow mechanics.

Given the approximately 80-year timeframe for this issue to manifest, it is a low-priority vulnerability in the short term but still a critical one in the long term.

Tools Used

Manual code review

Recommendations

To prevent the overflow, consider using a larger integer type for lastRewardNotificationTimestamp, such as uint64, which would delay the overflow far beyond any practical timeframe for the contract's operation.

Suggested Fix

Change the declaration of lastRewardNotificationTimestamp and its usage to uint64:

uint64 public override lastRewardNotificationTimestamp;

And update the assignment in the distributeRewards function:

lastRewardNotificationTimestamp = uint64(block.timestamp);

This modification will effectively mitigate the risk of overflow within any reasonable period of the contract's operation.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.