TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Unsafe cast from `uint256` to `uint32` in the `TempleGold::mint` function which can cause the `TempleGold::mint` function keep reverting and hence disrupt the protocol by preventing the protocol from minting `TGLD`.

spomaria

Summary

Unsafe cast from uint256 to uint32 in the TempleGold::mint function which can cause the TempleGold::mint function keep reverting and hence disrupt the protocol.

Vulnerability Details

The TempleGold::mint function casts block.timestamp of type uint256 to a type uint32. In the event block.timestamp exceeds type(uint32).max, the solidity compiler will throw an overflow error and revert. This means that this unsafe casting can prevent the protocol from minting TGLD when there is no conditions are violated causing a breach in the protocol.

Impact

If ever the block.timestamp exceeds type(uint32).max, the TempleGold contract will not be able to set the lastMintTimestamp because the the solidity compiler will revert with an overflow issue preventing the protocol from minting tokens.

Tools Used

A simple demonstration in foundry using chisel demonstrates that solidity compiler reverts whenever it encounters an arithmetic overflow or underflow. In our demonstration, we defined a variable of type uint32 and assigned it a value slightly above type(uint32).max and the compiler did not complete the assignment operation but reverted

uint32 lastMintTimestamp = type(uint32).max + 1

Traces:

[338] 0xBd770416a3345F91E4B34576cb804a576fa48EB1::run()

└─ ← [Revert] panic: arithmetic underflow or overflow (0x11)

⚒️ Chisel Error: Failed to execute REPL contract!

Recommendations

In order to avoid unsafe casting of uint256 to uint32, we recommend as follows:

the lastMintTimestamp variable be changed from a uint32 to a uint256 as follows

/// @notice Last block timestamp Temple Gold was minted

- uint32 public override lastMintTimestamp;

+ uint256 public override lastMintTimestamp;

modify the TempleGold::mint function to remove the unsafe casting

function mint() external override onlyArbitrum {

VestingFactor memory vestingFactorCache = vestingFactor;

- DistributionParams storage distributionParamsCache = distributionParams;

if (vestingFactorCache.numerator == 0) { revert ITempleGold.MissingParameter(); }

uint256 mintAmount = _getMintAmount(vestingFactorCache);

/// @dev no op silently

if (!_canDistribute(mintAmount)) { return; }

- lastMintTimestamp = uint32(block.timestamp);

+ lastMintTimestamp = block.timestamp;

+ DistributionParams memory distributionParamsCache = distributionParams;

_distribute(distributionParamsCache, mintAmount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.