29341 - [SC - Insight] Unsafe Downcast vulnerability this can lead to ...

Submitted on Mar 14th 2024 at 12:29:16 UTC by @Enc3yptedDegenExt for Boost | Immunefi Arbitration

Report ID: #29341

Report type: Smart Contract

Report severity: Insight

Target: https://github.com/immunefi-team/vaults/blob/main/src/RewardTimelock.sol

Impacts:

• Unsafe Downcast vulnerability

Description

Brief/Intro

In Solidity, as in many other typed programming languages, a developer may (attempt to) cast between types in their code. Solidity offers many variants of certain built-in types at different bit widths (for example, uint8 vs. uint256), and it is possible to cast between these. However, a narrowing type cast (from a higher to a lower bit width) may inadvertently truncate bits and cause the value after the cast to not be equivalent to that before the cast. This can lead to inadvertent logical errors in smart contract execution.

Vulnerability Details

The vulnerability exists in the queueRewardTransaction function of the src/RewardTimelock.sol contract, where a uint256 variable dollarAmount is narrowed downcast to uint40. This downcast can lead to a silent overflow if dollarAmount exceeds the maximum value that uint40 can hold (2^40 - 1). The overflow can result in unexpected behavior, potentially leading to incorrect storage or processing of the dollarAmount

Impact Details

The silent overflow can lead to incorrect handling of dollarAmount within the RewardTimelock.sol contract. This could result in transactions being queued with incorrect amounts, potentially leading to loss of funds or other unintended consequences. The vulnerability could also be exploited to manipulate the contract's state in ways not intended by the developers.

References

Solidity Documentation: Type casting (https://docs.soliditylang.org/en/v0.8.18/types.html#type-casting)

Proof of Concept

Add this below code after line no 69

require(dollarAmount <= type(uint40).max, "dollarAmount exceeds uint40 max value");