Attackathon _ Fuel Network 33267 - [Smart Contract - High] Bug in Multiply and Divide function
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on Tue Jul 16 2024 16:36:28 GMT-0400 (Atlantic Standard Time) by @shadowHunter for
Report ID: #33267
Report type: Smart Contract
Report severity: High
Target: https://github.com/FuelLabs/sway-libs/tree/0f47d33d6e5da25f782fc117d4be15b7b12d291b
Impacts:
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
It seems that both multiply and divide function in ifp64.sw
,ifp128.sw
,ifp256.sw
will not work correctly if any one of the number is negative as shown in below poc
https://github.com/FuelLabs/sway-libs/blob/0f47d33d6e5da25f782fc117d4be15b7b12d291b/libs/src/fixed_point/ifp64.sw#L273-L276 https://github.com/FuelLabs/sway-libs/blob/0f47d33d6e5da25f782fc117d4be15b7b12d291b/libs/src/fixed_point/ifp64.sw#L292-L295 Similarly for ifp128.sw
,ifp256.sw
Lets see how resulting non_negative
is calculated while multiplying and dividing
As we can see it is only checking non_negative
param for 1st argument and not on the other.non_negative
So if we multiply -A * B then non_negative
becomes true since (self.non_negative && !self.non_negative) || (!self.non_negative && self.non_negative)
always remain false
So result will be AB instead of -AB
User who is trusting this library for arithmetic operation can bear huge losses since this will return resulting negative value as positive while multiplying and dividing