Submission Details
Severity:
Detailed Arithmetic Operations
Summary
The contracts performs arithmetic operations without proper overflow protection
Vulnerability Details
fund.amount_raised += amount; // In contribute function
amount = ctx.accounts.fund.amount_raised; // In withdraw function
Impact
An attacker could manipulate contribution amounts exceed maximum values, potentially allowing unathorized withdrawls
Proof Of Concept
// Example of overflow vulnerability
let max_u64 = u64::MAX;
let small_amount = 1;
let result = max_u64 + small_amount; // Result would be 0, allowing unauthorized withdrawals
Tools Used
Manual Review
Rust
Recommendations
Use checked_add and checked_sub for all arithmetic operations:
fund.amount_raised = fund.amount_raised.checked_add(amount).ok_or(ErrorCode::CalculationOverflow)?;
Updates
Appeal created
bube 5 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
[Invalid] Arithmetic overflow in `contribute` function
The max value of u64 is: 18,446,744,073,709,551,615 or around 18.4 billion SOL, given that the total supply of SOL on Solana is 512.50M, the scenario when the `contribute` function will revert due to overflow is very very unlikely to happen. Therefore, this is informational finding.
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.