Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Integer Underflow in `sumReturnUint256` Leads to Incorrect Collateral Calculations and Potential Financial Exploitation

brene

Summary

The sumReturnUint256 function in the MarketUtils library contains an issue that can lead to integer underflow when handling negative values. This vulnerability can be exploited to manipulate the contract's behavior, potentially leading to unintended consequences in financial calculations.

Vulnerability Details

The sumReturnUint256 function handles the addition and subtraction of unsigned integers (uint256) and signed integers (int256). When the signed integer b is negative, the function attempts to subtract a positive value from a. If a is smaller than the absolute value of b, this results in an underflow.

function sumReturnUint256(uint256 a, int256 b) internal pure returns (uint256) {
if (b > 0) {
return a + uint256(b);
}
>> return a - uint256(-b);
}

Impact

willPositionCollateralBeSufficient function relies on getMinCollateralFactorForOpenInterest to determine the minimum collateral required based on the current market conditions and open interest. When absolute value of b is greater than a, the function will revert because of underflow therefore traders may failed to decrease their positions even when collateral is sufficient and also if a liquidation relies on willPositionCollateralBeSufficient, it could fail to execute, allowing undercollateralized positions to remain open longer than intended.

Tools

Manual Review

Recommendations

Implement checks to prevent the underflow

Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

Appeal created

brene Submitter
5 months ago
n0kto Lead Judge
5 months ago
n0kto Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.