Submission Details
Severity:
Issue with int8 and uint8 Casting
Summary
The code casts an int8 score to uint8 before assigning it to a uint256 variable, which can lead to incorrect values if the score is negative. This can cause issues such as incorrect reward calculations.
Vulnerability Details
The root cause of this issue is the unsafe downcasting of a signed integer (int8) to an unsigned integer (uint8), which does not handle negative values correctly and can result in unexpected behavior. If a player's score is negative, the cast to uint8 will result in an incorrect and potentially very large positive value, leading to incorrect reward calculations.
function withdraw() public {
if (!scoreBoard.isEligibleForReward(msg.sender)) {
revert ThePredicter__NotEligibleForWithdraw();
}
int8 score = scoreBoard.getPlayerScore(msg.sender);
int8 maxScore = -1;
int256 totalPositivePoints = 0;
for (uint256 i = 0; i < players.length; ++i) {
int8 cScore = scoreBoard.getPlayerScore(players[i]);
if (cScore > maxScore) maxScore = cScore;
if (cScore > 0) totalPositivePoints += cScore;
}
if (maxScore > 0 && score <= 0) {
revert ThePredicter__NotEligibleForWithdraw();
}
uint256 shares = uint8(score); // Unsafe casting
uint256 totalShares = uint256(totalPositivePoints);
uint256 reward = 0;
reward = maxScore < 0
? entranceFee
: (shares * players.length * entranceFee) / totalShares;
if (reward > 0) {
scoreBoard.clearPredictionsCount(msg.sender);
(bool success, ) = msg.sender.call{value: reward}("");
require(success, "Failed to withdraw");
}
}
Impact
Overflow/Underflow: Downcasting can cause overflow or underflow issues, leading to unintended behavior or vulnerabilities.
Tools Used
Manual review
Recommendations
Rewards breakdown
nSLOC
191This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.