Token-0x

First Flight #54

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Integer Overflow in `_mint`

subtlecrypto

Integer Overflow in `_mint`

Root + Impact

Description

The mint function should increase the total supply and the beneficiary's balance, reverting if either overflows.
The _mint function uses assembly to add the minted value to both totalSupply and the account balance without checking for overflow.

// src/helpers/ERC20Internals.sol

function _mint(address account, uint256 value) internal {

assembly ("memory-safe") {

// ... (check zero address)

let supply := sload(supplySlot)

sstore(supplySlot, add(supply, value)) // @> No check for overflow

// ...

let accountBalance := sload(accountBalanceSlot)

sstore(accountBalanceSlot, add(accountBalance, value)) // @> No check for overflow

}

Risk

Likelihood:

Medium // Requires the ability to mint tokens (often restricted to an owner/minter role, but critical if the minter is malicious or compromised, or if minting is public).

Impact:

High // totalSupply can be manipulated to wrap around to 0, completely breaking the token's economic model.
High // An attacker can mint an infinite amount of tokens to themselves by wrapping their balance.

Proof of Concept

function test_Overflow_Mint() public {

address userA = makeAddr("userA");

uint256 amount = type(uint256).max;

token.mint(userA, amount);

// Mint 1 more. Should overflow to 0.

token.mint(userA, 1);

assertEq(token.balanceOf(userA), 0);

assertEq(token.totalSupply(), 0);

}

Recommended Mitigation

- sstore(supplySlot, add(supply, value))

+ let newSupply := add(supply, value)

+ // Check for overflow on total supply

+ if lt(newSupply, supply) { revert(0, 0) }

+ sstore(supplySlot, newSupply)

- sstore(accountBalanceSlot, add(accountBalance, value))

+ let newAccountBalance := add(accountBalance, value)

+ // Check for overflow on account balance

+ if lt(newAccountBalance, accountBalance) { revert(0, 0) }

+ sstore(accountBalanceSlot, newAccountBalance)

Similar to the transfer function, we must check for overflows when increasing both the totalSupply and the user's balance. If either addition results in a value smaller than the original, an overflow has occurred, and we must revert.

Updates

Lead Judging Commences

gaurangbrdv Lead Judge 18 days ago

Submission Judgement Published

Validated

Assigned finding tags:

overflow & underflow

missing checks for overflow and underflow.

Rewards breakdown

nSLOC

222

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!

Token-0x

Integer Overflow in `_mint`

Integer Overflow in _mint

Root + Impact

Description

Risk

Proof of Concept

Recommended Mitigation

Lead Judging Commences

overflow & underflow

Rewards breakdown

Live

Judging

Appeals

Appeals Review

Rewards Distribution

FAQs

Integer Overflow in `_mint`