Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsafe Cast #4

Closed
code423n4 opened this issue Mar 29, 2022 · 2 comments
Closed

Unsafe Cast #4

code423n4 opened this issue Mar 29, 2022 · 2 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/sublime-finance/sublime-v1/blob/46536a6d25df4264c1b217bd3232af30355dcb95/contracts/PooledCreditLine/PooledCreditLine.sol

Vulnerability details

use openzeppilin's safeCast in:

    PooledCreditLine.accept : unsafe cast uint128(_amount)
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 29, 2022
code423n4 added a commit that referenced this issue Mar 29, 2022
@code423n4
robee issue #4
d2f5e52
This was referenced Mar 30, 2022
Open
Open
@ritik99 ritik99 added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Apr 6, 2022
@ritik99
Copy link
Collaborator

ritik99 commented Apr 6, 2022

uint128 can hold up to 2^128 ~ 3.4*10^38 which is higher than any token's max supply. We also implement a whitelist for which tokens can be borrowed and include appropriate conditions (for eg, only considering tokens with max. 18 decimals). We consider this cast as safe, but out of an abundance of caution, we will implement the suggestion.

Given there are no other information/scenario details provided, we're assuming this will only cause an issue if the two conditions are met (token supply exceeding 3.4*10^38, and such a token-passing whitelist checks). Thus we would suggest lowering severity to (1) low given their likelihood.

@HardlyDifficult
Copy link
Collaborator

Grouping this with the warden’s QA report, #3

@HardlyDifficult HardlyDifficult added the duplicate This issue or pull request already exists label Apr 19, 2022
@JeeberC4 JeeberC4 added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels May 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ritik99 @HardlyDifficult @code423n4 @JeeberC4