Underflow possible in rebalance() of RebalanceManagerV3 #43
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Handle
gpersoon
Vulnerability details
Impact
The function rebalance() of RebalanceManagerV3 calculates the amount of tokens received by subtracting oldBalance from the new balanceOf()
If the new balanceOf() happens to be smaller than oldBalance (due to an error or a weird situation at the exchange) then the variable "input" would be negative.
As the solidity version is 0.7.5 and input is an unsigned int, it would underflow and result in a very large value.
Assuming this happens at the last cycle of the inner for loop, then the following require would not revert because input is very large (although it should have reverted)
This way you could receive less tokens than required with a revert, which is unwanted.
Proof of Concept
https://github.com/code-423n4/2021-12-amun/blob/cf890dedf2e43ec787e8e5df65726316fda134a1/contracts/basket/contracts/callManagers/RebalanceManagerV3.sol#L158-L206
Tools Used
Recommended Mitigation Steps
Use safemath for the subtraction
The text was updated successfully, but these errors were encountered: