Attackathon _ Fuel Network 33242 - [Smart Contract - High] Incorrect Implementation of IFP Multiply
Incorrect Implementation of IFP Multiply and Divide Functions
Submitted on Mon Jul 15 2024 20:37:02 GMT-0400 (Atlantic Standard Time) by @Blockian for Attackathon | Fuel Network
Report ID: #33242
Report type: Smart Contract
Report severity: High
Target: https://github.com/FuelLabs/sway-libs/tree/0f47d33d6e5da25f782fc117d4be15b7b12d291b
Impacts:
Incorrect math
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Description
Fuel Network bug report
Incorrect Implementation of IFP Multiply and Divide Functions
Description
The current implementation of the multiply and divide functions in sway-libs for the signed Fixed Point numbers is flawed. Specifically, the implementation always returns a positive number, even when a negative result is expected.
Root Cause
The multiply function from the IFP64 implementation is as follows:
fn multiply(self, other: Self) -> Self {
let non_negative = if (self.non_negative
&& !self.non_negative)
|| (!self.non_negative
&& self.non_negative)
{
false
} else {
true
};
Self {
underlying: self.underlying * other.underlying,
non_negative: non_negative,
}
}Similarly, the divide function is implemented as:
fn divide(self, divisor: Self) -> Self {
let non_negative = if (self.non_negative
&& !self.non_negative)
|| (!self.non_negative
&& self.non_negative)
{
false
} else {
true
};
Self {
underlying: self.underlying / divisor.underlying,
non_negative: non_negative,
}
}In both functions, when determining the value of non_negative, the code incorrectly compares self with self instead of self with other or divisor. This results in non_negative always being set to true, regardless of the values being operated on.
NOTE: This error affects all IFP types.
Impact
This issue affects every implementation of signed fixed point numbers in the Fuel ecosystem. Any project utilizing these implementations will encounter incorrect calculations.
In the crypto space, even minor errors, like off by one, can lead to substantial financial losses, underscoring the critical nature of this bug.
Proposed fix
Compare self and other in multiply and self and divisor in divide
By correctly comparing self with other or divisor, the functions will properly set the non_negative value, ensuring accurate results.
Proof of concept
Proof of Concept
Run the POC's with forc test
contract;
use sway_libs::fixed_point::ifp64::IFP64;
abi Tester {
fn wrong_mult() -> bool;
fn wrong_div() -> bool;
}
impl Tester for Contract {
fn wrong_mult() -> bool {
let one = IFP64::from_uint(1u32);
let minus_one = IFP64::from_uint(1u32) - IFP64::from_uint(2u32); // minus 1
one * minus_one > IFP64::zero() // that is a mistake, 1 * -1 = -1 which is smaller that zero
}
fn wrong_div() -> bool {
let one = IFP64::from_uint(1u32);
let minus_one = IFP64::from_uint(1u32) - IFP64::from_uint(2u32); // minus 1
one / minus_one > IFP64::zero() // that is a mistake, 1 / -1 = -1 which is smaller that zero
}
}
#[test]
fn test() {
let caller = abi(Tester, CONTRACT_ID);
assert(caller.wrong_mult() == true); // the result is bigger than zero even though it should be negative
assert(caller.wrong_div() == true); // the result is bigger than zero even though it should be negative
}Last updated
Was this helpful?