The colRedeemed
variable is wrongly retrieved in LibBytes::readProposalData
function
#221
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-03
primary issue
Highest quality submission among a set of duplicates
🤖_89_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibBytes.sol#L42
Vulnerability details
Impact
The
LibBytes::readProposalData
function uses inline assembly for efficient data extraction from a byte array. ThecolRedeemed
variable, which represents an 11-byte value within theProposalData
structure, is intended to be extracted by applying a mask to isolate the relevant bytes. However, the current implementation incorrectly uses theadd
operation. That leads to retrieve incorrect value ofcolRedeemed
variable:The
add
operation would incorrectly add the mask to the shifted value, potentially resulting in an incorrect value forcolRedeemed
. The correct operation should useand
to apply the mask and isolate the 11-bytecolRedeemed
value.The
RedemptionFacet
contract calls theLibBytes::readProposalData
function and usescolRedeemed
variable inclaimRedemption
function.Proof of Concept
Link to the code: https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibBytes.sol#L42
The following contract
Assembly
is a simple contract that contains two functions:incorrectColRedeemed
with the logic from theLibBytes
contract and thecorrectColRedeemed
with the correct logic:The following test file contains test function
test_assembly
that compares the returned value from the both functions and shows the differences between the results.Tools Used
Manual Review, Foundry
Recommended Mitigation Steps
Replace the
add
operation with anand
operation to correctly apply the mask:colRedeemed := and(0xffffffffffffffffffffff, shr(80, fullWord))
Assessed type
Other
The text was updated successfully, but these errors were encountered: