Attackathon _ Fuel Network 33233 - [Smart Contract - Medium] Incorrect Implementation of Unsigned -b
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on Mon Jul 15 2024 16:51:42 GMT-0400 (Atlantic Standard Time) by @Blockian for
Report ID: #33233
Report type: Smart Contract
Report severity: Medium
Target: https://github.com/FuelLabs/sway-libs/tree/0f47d33d6e5da25f782fc117d4be15b7b12d291b
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
Incorrect math
Permanent freezing of funds
Temporary freezing of funds for at least 1 hour
The current implementation of the fractional function in sway-libs
for the unsigned 32-bit Fixed Point and signed 64-bit Fixed Point is flawed. This issue causes the function to revert every time it's called, potentially leading to problems for projects built on the Fuel platform.
The fract
function from the UFP32
implementation is as follows:
The issue arises after the left shift operation, where the function subtracts u32::max
and then subtracts 1
. Since left shifting doesn't change the operand's type (i.e., a << 16
keeps a as u32
), (self.underlying << 16)
remains within the bounds of u32
. Specifically, (self.underlying << 16)
is constrained by 4294901760
(0b11111111111111110000000000000000
), with the left shift ensuring the 16 rightmost bits are zero.
Consequently, for any self.underlying
, (self.underlying << 16)
is always less than u32::max
, leading to an underflow and causing a revert.
Every usage of UFP32.fract
results in a revert, affecting:
UFP32.ceil
- relies on the fract function.
IFP64.fract
- internally uses UFP32, causing it to revert.
IFP64.ceil
- also reverts since it uses both UFP32 and the fract function.
Any function in a contract that relies on one of those functions will revert, possibly locking user funds.
Remove the unnecessary subtraction:
This modification ensures the function operates correctly without causing reverts.
Run the POC's with forc test