Submitted on Wed Jul 17 2024 10:20:43 GMT-0400 (Atlantic Standard Time) by @shadowHunter for Attackathon | Fuel Network
Report ID: #33302
Report type: Smart Contract
Report severity: Medium
Target: https://github.com/FuelLabs/sway-libs/tree/0f47d33d6e5da25f782fc117d4be15b7b12d291b
Impacts:
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Compiler bug
It seems like exp
function will always return UFP128::from((1, 0))
no matter what argument is passed. This happens due to mistake in the return variable
-- let res = one;
++ let res = one + _res_minus_1;
- Observe the
exp
function
impl Exponent for UFP128 {
fn exp(exponent: Self) -> Self {
let one = UFP128::from((1, 0));
let p2 = one / UFP128::from((2, 0));
let p3 = one / UFP128::from((6, 0));
let p4 = one / UFP128::from((24, 0));
let p5 = one / UFP128::from((120, 0));
let p6 = one / UFP128::from((720, 0));
let p7 = one / UFP128::from((5040, 0));
// common technique to counter losing sugnifucant numbers in usual approximation
let _res_minus_1 = exponent + exponent * exponent * (p2 + exponent * (p3 + exponent * (p4 + exponent * (p5 + exponent * (p6 + exponent * p7)))));
let res = one;
res
}
}
- Observe that res is simply returning
one
instead ofone + _res_minus_1
which will be correct exp
Dapp relying on sway library will find itself with incorrect computation of exp. If the resulting was financial calculation then this will cause fund loss to the dapp user
fn foo() {
let mut one = UFP128::from((1, 0));
let two = UFP128::from((2, 0));
res = UFP128::exp(two);
assert(res != one);
}