Attackathon _ Fuel Network 33331 - [Smart Contract - High] Overflow in Types Less Than u

Overflow in Types Less Than u64

Submitted on Wed Jul 17 2024 22:27:13 GMT-0400 (Atlantic Standard Time) by @Blockian for Attackathon | Fuel Network

Report ID: #33331

Report type: Smart Contract

Report severity: High

Target: https://github.com/FuelLabs/sway/tree/v0.61.2

Impacts:

• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

• Incorrect math

Description

Fuel Network bug report

Overflow in Types Less Than u64

Description

Since any non-64-bit value is compiled to a u64 value under-the-hood, the ALU fails to detect overflows. Specifically, the pow function does not manually check for overflows, allowing overflows and undefined behavior in u32, u16, and u8 types.

Root Cause

Non-64-bit values are compiled to u64 under the hood, preventing the ALU from detecting overflows. Consequently, every mathematical operation should manually perform overflow checks.

For instance, the add implementation includes such checks:

As shown, the add function checks for overflows manually. However, the pow implementation lacks this check:

This oversight means any overflows not triggering the ALU overflow check (i.e., all values until u64::max) are missed.

Impact

This issue affects the u32, u16 and u8 types in the Fuel ecosystem. Any project utilizing these types will encounter incorrect calculations.

In the crypto space, even minor errors, like off by one, can lead to substantial financial losses, underscoring the critical nature of this bug.

Additionally, since values are stored as u64 under the hood, the actual stored value may differ from the displayed value. For instance, an overflown u8 may present as 0 but hold 0xffffffffffffff00 internally.

Proposed fix

Introduce a check for overflows in the pow function:

Proof of concept

Proof of Concept

Run the POC with forc test