Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Overflow Risk in applyFactor Result Casting to int256

Deleted user

Summary

A potential overflow vulnerability exists in the MarketUtils library when converting large uint256 values to int256 during collateral checks. While this requires misconfiguration, it could impact critical system operations.

Vulnerability Details

The issue occurs in the willPositionCollateralBeSufficient function when converting position values:

function willPositionCollateralBeSufficient(
// ...parameters...
) external view returns (bool, int256) {
// ...
int256 minCollateralUsdForLeverage = applyFactor(values.positionSizeInUsd, minCollateralFactor).toInt256();
// Potential overflow if result > type(int256).max
// ...
}

The applyFactor() function currently performs multiplication without checking if the result will fit within int256 bounds:

function applyFactor(uint256 value, uint256 factor) internal pure returns (uint256) {
return Math.mulDiv(value, factor, FLOAT_PRECISION);
}

Impact

  • Severity: Low

  • Likelihood: Low

  • Potential Impact: Transaction reverts during legitimate collateral checks

The severity is rated low because:

  1. Requires specific misconfiguration of system parameters

  2. Protected by existing bounds checks in most scenarios

  3. No direct loss of funds possible

Recommendation

Add validation before the int256 conversion:

function applyFactor(uint256 value, uint256 factor) internal pure returns (uint256) {
uint256 result = Math.mulDiv(value, factor, FLOAT_PRECISION);
require(result <= uint256(type(int256).max), "MarketUtils: result exceeds int256 max");
return result;
}

Tools Used

  • Manual code review

  • Solidity compiler analysis

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.