Token-0x

First Flight #54

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Missing Overflow/Underflow Checks in Yul Assembly Arithmetic Operations

umesh1145

Root + Impact

Description

Normal behavior: ERC20 transfers/mints/burns must revert on overflow/underflow to keep balances and totalSupply correct.
Issue: Yul add/sub are unchecked, so balances and supply wrap instead of reverting.

// Root cause with @> marker

// File: src/helpers/ERC20Internals.sol (lines 92–131)

sstore(fromSlot, sub(fromAmount, value))

@> sstore(toSlot, add(toAmount, value)) // unchecked add wraps

Similar unchecked add in _mint (supply/balance) and unchecked sub in _burn.

Risk

Likelihood:

Large rewards/emissions or whale balances reach near 2^256-1; next add wraps.
Protocol mints near max supply; subsequent mint/transfer wraps silently.

Impact:

Balance corruption and fund loss for recipients.
totalSupply corruption breaks protocol/token economics.

Proof of Concept

function testOverflow() public {

// Vulnerable path: unchecked add in _transfer

token.transfer(victim, 200);

// (maxUint - 100 + 200) mod 2^256 = 99 due to unchecked add

console2.log("Victim balance after overflow transfer:", token.balanceOf(victim));

assertEq(token.balanceOf(victim), 99);

}

Why 99: max = 2^256 - 1; max - 100 + 200 = 2^256 + 99; mod 2^256 leaves 99.

Observed output (Forge):

Ran 1 test for test/OverflowPOC.t.sol:OverflowPOCTest

[PASS] testOverflow() (gas: 27925)

Logs:

Victim balance after overflow transfer: 99

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.80ms (4.05ms CPU time)

Recommended Mitigation

- sstore(toSlot, add(toAmount, value))

+ let newTo := add(toAmount, value)

+ if lt(newTo, toAmount) { revert(0, 0) } // overflow

+ sstore(toSlot, newTo)

Add equivalent overflow checks in _mint (supply and balance) and underflow checks in _burn before sstore.

Updates

Lead Judging Commences

gaurangbrdv Lead Judge 18 days ago

Submission Judgement Published

Validated

Assigned finding tags:

overflow & underflow

overflow & underflow occurs

Appeal created

umesh1145 Submitter

18 days ago

gaurangbrdv Lead Judge

18 days ago

umesh1145 Submitter

17 days ago

gaurangbrdv Lead Judge

17 days ago

umesh1145 Submitter

17 days ago

gaurangbrdv Lead Judge

17 days ago

gaurangbrdv Lead Judge 14 days ago

Submission Judgement Published

Validated

Assigned finding tags:

overflow & underflow

overflow & underflow occurs

Rewards breakdown

nSLOC

222

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!