Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

256 to 112 could cause a wrong lock amount #114

Open
code423n4 opened this issue May 20, 2022 · 2 comments
Open

256 to 112 could cause a wrong lock amount #114

code423n4 opened this issue May 20, 2022 · 2 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/aurafinance/aura-contracts-lite/blob/main/contracts/AuraLocker.sol#L268

Vulnerability details

Impact

256 to 112 could cause a wrong lock amount

Proof of Concept

for the call stack of "function _lock" , _amount is u256, manually cut to u112, could change actual value of _amount.

Tools Used

Recommended Mitigation Steps

still use u256, instead of cutting to u112
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 20, 2022
code423n4 added a commit that referenced this issue May 20, 2022
@code423n4
zmj issue #114
df5f137
@0xMaharishi 0xMaharishi added invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue labels May 26, 2022
@0xMaharishi
Copy link

max u112 is 5e33. Tokens have 18 decimals. This is equivalent to 1,000,000,000,000,000e18. Max supply of most tokens is 1e26 or so. Aura token included

@dmvt
Copy link
Collaborator

dmvt commented Jun 25, 2022

This is technically true but it's unreasonable to think that any user will be locking enough tokens in one go to cause this issue to occur. I will leave it as QA.

@dmvt dmvt added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed invalid This doesn't seem right 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jun 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmvt @code423n4 @0xMaharishi