Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Unsafe Conversion of Negative Integer to Unsigned Integer

8olidity

Summary

Unsafe Conversion of Negative Integer to Unsigned Integer

Vulnerability Details

A potential high-risk security vulnerability exists in the checkUpkeep function of the LSTRewardsSplitter contract. The function directly converts the newRewards variable of type int256, which may be negative, to uint256 when comparing it with controller.rewardThreshold().When newRewards is negative, converting it to uint256 results in an extremely large positive number (2^256 - 1). This will almost always be greater than controller.rewardThreshold(), causing the condition to incorrectly return true. This could lead to the system erroneously executing upkeep when it shouldn't, potentially triggering incorrect reward distributions or other unexpected behaviors.

function checkUpkeep(bytes calldata) external view returns (bool, bytes memory) {
int256 newRewards = int256(lst.balanceOf(address(this))) - int256(principalDeposits);
if (newRewards < 0 || uint256(newRewards) >= controller.rewardThreshold())
return (true, bytes(""));
return (false, bytes(""));
}

Impact

Tools Used

vscode

Recommendations

Following the approach used in the performUpkeep function, handle positive and negative cases separately

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.