Potential Overflow Vulnerability in mint Function’s totalSupply Update Logic
Summary
The MembershipERC1155 contract contains a vulnerability in its mint function, where totalSupply is updated using a calculation that can cause overflow errors. This vulnerability arises when amount is large, leading to calculations that exceed the storage limit of a uint256 variable. If triggered, this overflow could cause the transaction to revert, making the minting process unstable and potentially resulting in a denial of service (DoS) for this function.
Vulnerability Details
The mint function uses the following line to update the totalSupply with a weighted increase based on tokenId:
https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/tokens/MembershipERC1155.sol#L61
This calculation multiplies amount by a factor of 2 ** (6 - tokenId), where the result depends on the value of tokenId. For smaller tokenId values (such as 0), this factor can be quite large (e.g., 2 ** 6 = 64 for tokenId = 0). When amount is large, this multiplication may result in a number greater than the maximum limit for a uint256, causing an overflow.
In Solidity 0.8.x, overflow checks will automatically cause an error, reverting the transaction. However, this means that if the calculated result exceeds uint256 limits, the mint function will fail, potentially causing a DoS for minting operations.
Impact
If overflow occurs, minting will be blocked, affecting token issuance.
Tools Used
Manual Review
Recommendations
Set an upper limit for amount to prevent large values from triggering overflow. For example:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.