Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Integer Overflow Vulnerability in the Deposit and withdraw function [2024-09-stakelink/contracts/core /InsurancePool.sol]

manipal0424

Summary :

The vulnerability occurs due to improper handling of arithmetic operations that exceed the maximum value allowed by the data type, leading to incorrect or unexpected behavior. This flaw could potentially be exploited to manipulate contract balances or other critical variables, leading to financial loss or unintended actions within the contract.

Vulnerability Details :

The identified integer overflow vulnerability occurs in the smart contract due to insufficient checks during arithmetic operations. When performing operations such as addition, subtraction, or multiplication, the contract fails to validate whether the resulting value exceeds the maximum limit of the data type

/**
* @notice deposits tokens into the pool
* @dev will delete any active or upcoming withdrawal window
* @param _amount amount of tokens to deposit
*/
function deposit(uint256 _amount) external whileNoClaimInProgress {
if (withdrawalRequests[msg.sender] != 0) delete withdrawalRequests[msg.sender];
rewardsPool.updateReward(msg.sender);
token.safeTransferFrom(msg.sender, address(this), _amount);
_mint(msg.sender, _amount);
totalDeposits += _amount;
}
/**
* @notice withdraws tokens from the pool
* @param _amount amount of tokens to withdraw
*/
function withdraw(uint256 _amount) external whileNoClaimInProgress {
if (!canWithdraw(msg.sender)) revert WithdrawalWindowInactive();
rewardsPool.updateReward(msg.sender);
_burn(msg.sender, _amount);
totalDeposits -= _amount;
token.safeTransfer(msg.sender, _amount);
}

Impact :

  1. Financial loss: Attackers can manipulate the balance or other critical contract variables, allowing them to bypass restrictions or drain funds.

  2. Bypassing contract logic: Contracts may have conditions that rely on accurate values (e.g., balance checks). If these values overflow, contract logic may be bypassed, leading to unexpected behavior.

  3. Security breaches: The contract may no longer enforce expected business logic, creating significant risks for users and stakeholders.

Tools Used :

Remix IDE: The vulnerability was reproduced and tested in the Remix IDE environment.

Recommendations :

Integer Overflow: There were potential integer overflow issues in the deposit() and withdraw() functions when updating totalDeposits. I've implemented SafeMath to prevent these overflows. I have added a safemath from @openzeppelin .
As we can see in the example contract.

import "@openzeppelin/contracts-upgradeable/utils/math/SafeMathUpgradeable.sol";
/**
* @notice deposits tokens into the pool
* @dev will delete any active or upcoming withdrawal window
* @param _amount amount of tokens to deposit
*/
function deposit(uint256 _amount) external nonReentrant whileNoClaimInProgress {
require(_amount > 0, "Deposit amount must be greater than 0");
if (withdrawalRequests[msg.sender] != 0) delete withdrawalRequests[msg.sender];
rewardsPool.updateReward(msg.sender);
token.safeTransferFrom(msg.sender, address(this), _amount);
_mint(msg.sender, _amount);
totalDeposits = totalDeposits.add(_amount);
}
/**
* @notice withdraws tokens from the pool
* @param _amount amount of tokens to withdraw
*/
function withdraw(uint256 _amount) external nonReentrant whileNoClaimInProgress {
require(_amount > 0, "Withdraw amount must be greater than 0");
require(canWithdraw(msg.sender), "Withdrawal window inactive");
rewardsPool.updateReward(msg.sender);
_burn(msg.sender, _amount);
totalDeposits = totalDeposits.sub(_amount);
token.safeTransfer(msg.sender, _amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.