# 29341 - \[SC - Insight] Unsafe Downcast vulnerability this can lead to ...

Submitted on Mar 14th 2024 at 12:29:16 UTC by @Enc3yptedDegenExt for [Boost | Immunefi Arbitration](https://immunefi.com/bounty/immunefiarbitration-boost/)

Report ID: #29341

Report type: Smart Contract

Report severity: Insight

Target: <https://github.com/immunefi-team/vaults/blob/main/src/RewardTimelock.sol>

Impacts:

* Unsafe Downcast vulnerability

## Description

## Brief/Intro

In Solidity, as in many other typed programming languages, a developer may (attempt to) cast between types in their code. Solidity offers many variants of certain built-in types at different bit widths (for example, uint8 vs. uint256), and it is possible to cast between these. However, a narrowing type cast (from a higher to a lower bit width) may inadvertently truncate bits and cause the value after the cast to not be equivalent to that before the cast. This can lead to inadvertent logical errors in smart contract execution.

## Vulnerability Details

The vulnerability exists in the queueRewardTransaction function of the src/RewardTimelock.sol contract, where a uint256 variable dollarAmount is narrowed downcast to uint40. This downcast can lead to a silent overflow if dollarAmount exceeds the maximum value that uint40 can hold (2^40 - 1). The overflow can result in unexpected behavior, potentially leading to incorrect storage or processing of the dollarAmount

## Impact Details

The silent overflow can lead to incorrect handling of dollarAmount within the RewardTimelock.sol contract. This could result in transactions being queued with incorrect amounts, potentially leading to loss of funds or other unintended consequences. The vulnerability could also be exploited to manipulate the contract's state in ways not intended by the developers.

## References

Solidity Documentation: Type casting (<https://docs.soliditylang.org/en/v0.8.18/types.html#type-casting>)

## Proof of Concept

Add this below code after line no 69

require(dollarAmount <= type(uint40).max, "dollarAmount exceeds uint40 max value");


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reports.immunefi.com/immunefi-arbitration/29341-sc-insight-unsafe-downcast-vulnerability-this-can-lead-to-....md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.