Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Potential Arithmetic Underflow in stakeVested Function

acai

Summary

A low severity vulnerability has been identified in the stakeVested function of the FjordStaking contract. The current implementation could potentially lead to an arithmetic underflow when calculating the remaining amount of a Sablier stream, which could result in transaction reverts.

Vulnerability Details

The vulnerability is present in the stakeVested function:

function stakeVested(uint256 _streamID) external checkEpochRollover redeemPendingRewards {
// ... (previous code omitted for brevity)
uint128 depositedAmount = sablier.getDepositedAmount(_streamID);
uint128 withdrawnAmount = sablier.getWithdrawnAmount(_streamID);
uint128 refundedAmount = sablier.getRefundedAmount(_streamID);
if (depositedAmount - (withdrawnAmount + refundedAmount) <= 0) revert InvalidAmount();
// ... (rest of the function)
}

The issue lies in the calculation depositedAmount - (withdrawnAmount + refundedAmount). If the sum of withdrawnAmount and refundedAmount exceeds depositedAmount, this subtraction will result in an arithmetic underflow, as these variables are of type uint128.

In Solidity 0.8.x, which this contract uses, arithmetic underflows cause the transaction to revert. However, this revert occurs before the InvalidAmount error is thrown, potentially leading to confusion about the cause of the failure.

Impact

The impact of this vulnerability includes:

  1. Unexpected Reverts: Transactions may revert due to arithmetic underflow rather than the intended InvalidAmount error, leading to confusion for users and developers.

  2. Potential for Misinterpretation: The arithmetic underflow could be misinterpreted as a different issue, complicating debugging and maintenance.

While the occurrence of this condition (where withdrawn and refunded amounts exceed the deposited amount) should be rare in a properly functioning Sablier stream, it's important to handle all edge cases correctly to ensure robust contract behavior.

Tools Used

Manual

Recommendations

To address this vulnerability and improve the robustness of the stakeVested function, we recommend modifying the condition to avoid the potential underflow. Here's the suggested fix:

function stakeVested(uint256 _streamID) external checkEpochRollover redeemPendingRewards {
// ... (previous code remains the same)
uint128 depositedAmount = sablier.getDepositedAmount(_streamID);
uint128 withdrawnAmount = sablier.getWithdrawnAmount(_streamID);
uint128 refundedAmount = sablier.getRefundedAmount(_streamID);
if (depositedAmount <= withdrawnAmount + refundedAmount) revert InvalidAmount();
// ... (rest of the function remains the same)
}

This modification ensures that:

  1. The condition checks if there's any remaining amount in the stream without performing subtraction.

  2. It avoids the potential for arithmetic underflow entirely.

  3. The InvalidAmount error is thrown as intended when the stream has been fully withdrawn or refunded.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.