Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

[H-5]Unchecked Arithmetic Overflow Vulnerability in `scaleAmount` Function of `Helpers` Contract Leading to Incorrect Token Scaling and Financial Loss Potential

cyberray

Summary:

The scaleAmount function in the Helpers contract contains an unchecked arithmetic operation that can lead to an overflow when scaling a large token amount with a small number of decimals. Specifically, the function multiplies a provided amount by a scale factor derived from the token's decimal precision. If the input amount is excessively large and the scale factor results in a value greater than the maximum limit for a uint256 (2^256 - 1), an overflow can occur, causing the function to return an incorrect value.

This vulnerability can be exploited by malicious actors who can manipulate input values, leading to erroneous calculations that may result in financial losses for users. Exploitation of this vulnerability could allow attackers to claim more tokens than intended, disrupt the integrity of financial transactions, or cause unintended behaviors in token handling.

Vulnerability Details:

Arithmetic Overflow: The line return amount * scaleFactor; may produce a value greater than the maximum limit for a uint256 (2^256 - 1) if the amount is sufficiently large and the scaleFactor is high. In Solidity, multiplication of two large numbers without checks can lead to an overflow, resulting in an incorrect amount being returned.

Wraparound: If an overflow occurs, the resultant value may wrap around to zero or yield a negative number, severely impacting any dependent calculations.

Manipulated Input: An attacker can leverage this vulnerability by supplying a carefully chosen large amount combined with a small decimals value to force an overflow.

Affected Functionality: The vulnerability directly impacts any functionality that relies on the output of the scaleAmount function, including:

Fee calculations for transactions.
Adjustments in the balances of users involved in the token economy.
Financial models relying on accurate token valuations.

To exploit this vulnerability, an attacker would need to:

Call the scaleAmount function with a sufficiently large amount and a low decimals value (e.g., 0 or 1), increasing the likelihood of triggering an overflow.
Depending on how the output of this function is used elsewhere in the contract, the attacker could manipulate the token economy, adversely affecting other users and the contract's integrity.

run this command to test the foundry test below: forge test --match-path tests/testname.t.sol -vvvv

Proof Of Concept:

// SPDX-License-Identifier: GPL-3.0-or-later

pragma solidity >=0.8.22;

import "forge-std/src/Test.sol";

import "../src/libraries/Helpers.sol";

contract HelpersTest is Test {

// Define a large amount that is at the maximum value for uint128

uint128 largeAmount = type(uint128).max; // 2^128 - 1, which is the largest value for uint128

uint8 tokenDecimals = 3; // Example token with 3 decimal places

function testUncheckedArithmeticOverflowInScaleAmount() public {

// Log the initial state for clarity

emit log_named_uint("Testing scaling of large amount", largeAmount);

emit log_named_uint("Token decimals used for scaling", tokenDecimals);

// We expect that scaling a large amount with decimals will result in an overflow.

// The expected outcome is that the operation will revert due to an arithmetic overflow.

vm.expectRevert(); // Indicates that we expect a revert from the next call

// Attempt to scale up a very large amount, which should cause an overflow

// For a token with 3 decimals, the operation would theoretically try to multiply

// by 10^15 (i.e., 10^(18-3)), leading to an overflow since largeAmount is already at its max.

Helpers.scaleAmount(largeAmount, tokenDecimals);

}

The test result should be:

Ran 1 test for tests/CheckingArithmetic.t.sol:HelpersTest

[FAIL: next call did not revert as expected] testUncheckedArithmeticOverflowInScaleAmount() (gas: 9340)

Logs:

Testing scaling of large amount: 340282366920938463463374607431768211455

Token decimals used for scaling: 3

The test was designed to expect a revert when an overflow occurs, signifying that the function should safeguard against such situations.

Since the test did not revert as expected (indicating an overflow), it shows a failure in the implementation's defensive programming. This confirms that the existing logic does not adequately protect against arithmetic issues.

Impact:

Incorrect Financial Calculations:

The scaleAmount function is responsible for converting amounts from token decimals to a fixed-point representation with 18 decimals. An overflow in this function could result in incorrect amounts being calculated. This could lead to:
- Underpayment or Overpayment: Users might receive less or more than intended, affecting trust and usability.
- Mismanagement of Funds: Funds could be misallocated, leading to potential financial losses for users and the platform.

Loss of Funds:
- If the function were to return a very high value due to overflow, this could result in excessive withdrawals or transfers being processed.
- Attackers could exploit this vulnerability to withdraw funds beyond their entitlement, leading to direct financial losses for the contract and its users.

Tools Used: Slither and Aderyn.

Recommendations:

Use SafeMath Libraries:

Implement SafeMath or similar libraries that provide safe arithmetic operations with built-in overflow and underflow checks. In Solidity versions 0.8 and above, overflow checks are inherent to the language, but it’s essential to ensure that all arithmetic operations comply with the latest standards.

Input Validation:

Ensure that inputs to functions are validated before performing arithmetic operations. For instance, checking the range of amount and decimals before proceeding with calculations can help avoid unintended overflows or underflows.

Updates

Lead Judging Commences

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.