uint96 Token Compatibility Issues
Summary
The current implementation fails to account for tokens that revert on transfers larger than uint96 (e.g., UNI, COMP). This can lead to locked funds.
Vulnerability Details
collectProtocolRevenue() function:
protocolRevenue is stored as uint128.
If accumulated revenue exceeds uint96.max (79,228,162,514,264,337,593,543,950,335)
,transfer will revert for UNI/COMP tokens
.
Funds become permanently locked in the contract
recover() function:
surplus is calculated as uint256
No check for uint96 limit before transfer
Large surplus recoveries will fail for UNI/COMP tokens
Can lead to permanent fund lockup
Impact
When the revenue or surplus exceeds the uint96 limit, the safeTransfer function reverts. This bug can prevent the protocol from collecting revenue or recovering surplus tokens when dealing with tokens like UNI or COMP.
Tools Used
Manual review
Recommendations
document the special handling of tokens with uint96 storage limits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.