Last updated
Was this helpful?
Submitted on Sun Jun 30 2024 13:19:53 GMT-0400 (Atlantic Standard Time) by @zeroK for
Report ID: #32706
Report type: Smart Contract
Report severity: High
Target: https://github.com/FuelLabs/sway-libs/tree/0f47d33d6e5da25f782fc117d4be15b7b12d291b
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
Block stuffing
the function subtract used in signed libs to subtract two I8 number which are u8 numbers, this contract use bias mechanism to handle the signed values correctly since fuelVM did not support negative value, however the function subtract did not handle the case when self.value < indent and other.value > indent correctly which can block the subtracting logic when user sets the self as smaller number than the other.
checking the function below, we can see that there is situation when the self.value is smaller than indent and other.value is bigger or equal to the indent, if the other was bigger then an over/under flow can occur because it say self.value - (other - indent)` which in this case the other is bigger than the self and the fuelVM will panic:
the function above should only accept value that wrapped by calling the I8...256.from_uint(u8... u64) because using fromfunction itself can break the whole contract math functionality, this mean when user use a valid u8 value as self.value which is smaller than theother.value` and other value is bigger than indent which is 128 the subtract functionality will be blocked and cause panic to feulVM.
NOTE :: we tried to use from function but this will break the whole math functionality because if you wrap a u8 value using the from function then there no such a case that value is smaller than indent that can be executed which is a more critical issue if the team planning to use from function from signed integer rather than from_uint
incorrect handle of the case when self.value < indent and other > indent can block the subtract functionality.
add if check inside the else if self.underlying < Self::indent()&& other.underlying >= Self::indent() check to make sure the subtract executed without causing panic because of overflow or underflow.
run this test directly in the I8.sw lib.
