Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Arithmetic Overflow and Underflow in MarginCollateralConfiguration.sol

heim

Summary

During the fuzz testing of the smart contract MarginCollateralConfiguration.sol, arithmetic overflow and underflow vulnerabilities were identified. These vulnerabilities occur in the conversion functions where token amounts are converted to UD60x18 format and vice versa.

Vulnerability Details

Location:

Smart Contract: MarginCollateralConfiguration.sol
Functions:
- convertTokenAmountToUd60x18
- convertUd60x18ToTokenAmount

The convertTokenAmountToUd60x18 function multiplies the input amount by a factor based on the decimals specified. Similarly, convertUd60x18ToTokenAmount divides the input by this factor. However, multiplication and division operations are susceptible to overflow and underflow when dealing with large or very small values.

Root Cause:

Overflow in Multiplication: amount * factor can overflow if amount is large and factor is high.
Division by Zero: Division by factor could cause issues if factor is zero.

Proof of Concept

The following fuzz tests demonstrate how edge cases can cause overflow or underflow in the conversion functions. Copy the test and run it from test folder.

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.25;

import "forge-std/Test.sol";

import { UD60x18, ud60x18 } from "@prb-math/UD60x18.sol";

import { MarginCollateralConfiguration } from "../src/MarginCollateralConfiguration.sol";

import { Constants } from "../src/Constants.sol";

contract FuzzMarginCollateralConfigurationTest is Test {

using MarginCollateralConfiguration for MarginCollateralConfiguration.Data;

MarginCollateralConfiguration.Data private data;

function setUp() public {

data = MarginCollateralConfiguration.Data({

depositCap: 1000,

loanToValue: 50,

decimals: 18,

priceFeed: address(0),

totalDeposited: 0,

priceFeedHearbeatSeconds: 3600

});

}

function testFuzzConvertTokenAmountToUd60x18(uint8 decimals, uint256 amount) public {

data.decimals = decimals;

// Ensure decimals do not exceed the range that can safely be used for conversion

require(

decimals <= Constants.SYSTEM_DECIMALS,

"Decimals exceed system decimals"

);

// Multiply only if it is safe

uint256 factor = 10 ** (Constants.SYSTEM_DECIMALS - decimals);

require(factor > 0);

uint256 expectedResult = amount * factor;

require(expectedResult / factor == amount, "Multiplication overflow");

UD60x18 result = data.convertTokenAmountToUd60x18(amount);

assertEq(result.intoUint256(), expectedResult);

}

function testFuzzConvertUd60x18ToTokenAmount(uint8 decimals, uint256 amount) public {

data.decimals = decimals;

// Ensure decimals do not exceed the range that can safely be used for conversion

require(

decimals <= Constants.SYSTEM_DECIMALS,

"Decimals exceed system decimals"

);

// Divide only if it is safe

uint256 divisor = 10 ** (Constants.SYSTEM_DECIMALS - decimals);

require(divisor > 0);

uint256 reducedAmount = amount / divisor;

UD60x18 ud60x18Amount = ud60x18(amount);

uint256 result = data.convertUd60x18ToTokenAmount(ud60x18Amount);

assertEq(result, reducedAmount);

}

Run forge test --match-contract FuzzMarginCollateralConfigurationTest -vvv

The fuzz tests revealed that certain inputs cause the system to throw exceptions due to arithmetic underflows or overflows.
Failing tests: Encountered 2 failing tests in test/audit-test/FuzzMarginCollateralConfigurationTest.t.sol:FuzzMarginCollateralConfigurationTest [FAIL. Reason: revert: Decimals exceed system decimals; counterexample: calldata=0xf00e797c00000000000000000000000000000000000000000000000000000000000000b2000000000000000000000000000000000000000000000000000000004e487b70 args=[178, 1313373040 [1.313e9]]] testFuzzConvertTokenAmountToUd60x18(uint8,uint256) (runs: 2, μ: 9832, ~: 9832) [FAIL. Reason: revert: Decimals exceed system decimals; counterexample: calldata=0xa82e0ef200000000000000000000000000000000000000000000000000000000000000b2000000000000000000000000000000000000000000000000000000004e487b70 args=[178, 1313373040 [1.313e9]]] testFuzzConvertUd60x18ToTokenAmount(uint8,uint256) (runs: 2, μ: 9665, ~: 9665)

Impact

High

Incorrect token amount conversions can lead to invalid calculations affecting balances, lending, and collateral management, which can disrupt the entire system.
An overflow or underflow can be exploited to manipulate token conversions, leading to potential loss of funds.

Tools Used

Foundry

Recommendations

Range Checks: Implement comprehensive range checks to ensure input values are within acceptable bounds before performing conversions.

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.