Last updated
Was this helpful?
Submitted on Mar 14th 2024 at 12:29:16 UTC by @Enc3yptedDegenExt for
Report ID: #29341
Report type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/vaults/blob/main/src/RewardTimelock.sol
Impacts:
Unsafe Downcast vulnerability
In Solidity, as in many other typed programming languages, a developer may (attempt to) cast between types in their code. Solidity offers many variants of certain built-in types at different bit widths (for example, uint8 vs. uint256), and it is possible to cast between these. However, a narrowing type cast (from a higher to a lower bit width) may inadvertently truncate bits and cause the value after the cast to not be equivalent to that before the cast. This can lead to inadvertent logical errors in smart contract execution.
The vulnerability exists in the queueRewardTransaction function of the src/RewardTimelock.sol contract, where a uint256 variable dollarAmount is narrowed downcast to uint40. This downcast can lead to a silent overflow if dollarAmount exceeds the maximum value that uint40 can hold (2^40 - 1). The overflow can result in unexpected behavior, potentially leading to incorrect storage or processing of the dollarAmount
The silent overflow can lead to incorrect handling of dollarAmount within the RewardTimelock.sol contract. This could result in transactions being queued with incorrect amounts, potentially leading to loss of funds or other unintended consequences. The vulnerability could also be exploited to manipulate the contract's state in ways not intended by the developers.
Solidity Documentation: Type casting (https://docs.soliditylang.org/en/v0.8.18/types.html#type-casting)
Add this below code after line no 69
require(dollarAmount <= type(uint40).max, "dollarAmount exceeds uint40 max value");
