Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Underflow due to incorrect comparison #433

Closed
code423n4 opened this issue Jul 1, 2023 · 4 comments
Closed

Underflow due to incorrect comparison #433

code423n4 opened this issue Jul 1, 2023 · 4 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-766 satisfactory satisfies C4 submission criteria; eligible for awards upgraded by judge Original issue severity upgraded from QA/Gas by judge

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-amm/UlyssesPool.sol#L260

Vulnerability details

Underflow due to incorrect comparison

leftOverBandwidth is underflowed due to incorrect comparison of oldTotalWeights and newTotalWeights.

Proof of Concept

247         uint256 leftOverBandwidth;
248        
249                BandwidthState storage poolState = bandwidthStateList[poolIndex];
250                poolState.weight = weight;
251        
252                if (oldTotalWeights > newTotalWeights) {
253                    for (uint256 i = 1; i < bandwidthStateList.length;) {
254                        if (i != poolIndex) {
255                            uint256 oldBandwidth = bandwidthStateList[i].bandwidth;
256                            if (oldBandwidth > 0) {
257                                bandwidthStateList[i].bandwidth =
258                                    oldBandwidth.mulDivUp(oldTotalWeights, newTotalWeights).toUint248();
259        
260                                leftOverBandwidth += oldBandwidth - bandwidthStateList[i].bandwidth;
261                            }
262                        }

https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-amm/UlyssesPool.sol#L260

Here initially consider this check oldTotalWeights > newTotalWeights, and calculate the

    bandwidthStateList[i].bandwidth =
                                oldBandwidth.mulDivUp(oldTotalWeights, newTotalWeights).toUint248();

Due to above condition ,

   oldBandwidth.mulDivUp(oldTotalWeights, newTotalWeights).toUint248()  > oldBandwidth

Its meaning ,

  bandwidthStateList[i].bandwidth > oldBandwidth

So eventually ,

  leftOverBandwidth += oldBandwidth - bandwidthStateList[i].bandwidth < 0

Initial value is leftOverBandwidth is zero. So leftOverBandwidth is going to be negative then its reverted.

Tools Used

Vs code

Recommended Mitigation Steps

Use

  leftOverBandwidth +=  bandwidthStateList[i].bandwidth - oldBandwidth ;  for line 260

Assessed type

DoS
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jul 1, 2023
code423n4 added a commit that referenced this issue Jul 1, 2023
@code423n4
BPZ issue #433
17739ca
@c4-judge
Copy link
Contributor

trust1995 marked the issue as duplicate of #27

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jul 11, 2023
@c4-judge
Copy link
Contributor

trust1995 marked the issue as satisfactory

@c4-judge
Copy link
Contributor

trust1995 marked the issue as duplicate of #766

@c4-judge c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jul 27, 2023
@c4-judge
Copy link
Contributor

trust1995 changed the severity to 3 (High Risk)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-766 satisfactory satisfies C4 submission criteria; eligible for awards upgraded by judge Original issue severity upgraded from QA/Gas by judge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code423n4 @c4-judge