Platform: Code4rena
Start Date: 05/01/2023
Pot Size: $90,500 USDC
Total HM: 55
Participants: 103
Period: 14 days
Judge: Picodes
Total Solo HM: 18
Id: 202
League: ETH
Rank: 73/103
Findings: 1
Award: $51.32
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: ladboy233
Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xbepresent, 0xkato, Aymen0909, CodingNameKiki, Cryptor, Deekshith99, Deivitto, HE1M, IllIllI, Kaysoft, Koolex, PaludoX0, Qeew, RaymondFam, Rolezn, Sathish9098, Tointer, a12jmx, arialblack14, ast3ros, ayeslick, bin2chen, btk, caventa, ch0bu, chaduke, chrisdior4, delfin454000, descharre, evan, fatherOfBlocks, georgits, gz627, jasonxiale, joestakey, kaden, lukris02, nicobevi, nogo, oberon, oyc_109, pfapostol, rbserver, sakshamguruji, seeu, shark, simon135, slvDev, synackrst, tnevler, whilom, zaskoh
51.3151 USDC - $51.32
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898//src/PublicVault.sol#L548 https://github.com/code-423n4/2023-01-astaria/blob/40065677771348dbfde8c1ca442825ae37e2c3d0/src/AstariaVaultBase.sol#L50-L52 https://github.com/code-423n4/2023-01-astaria/blob/feb342a6666b9a97ef16d25151e020281acb1f5f/src/VaultImplementation.sol#L287
getLienEpoch() unsafe typecast leads to more time window for operations
Even though Solidity 0.8.x is used, type casts do not throw an error. A SafeCast library must be used everywhere a typecast is done. SafeCast Reference. Type cast with overflows doesn't throw an error / revert
Wrong values used over the code as overflow / underflow doesn't revert on cast
getLienEpoch is a public function used by handleBuyoutLien, updateVaultAfterLiquidation, _afterCommitToLien and this one being used internally by VaultImplementation#commitToLien() method.
If START() value is bigger than uint64, this would lead to the open windows being more time than expected opened, as the end - uint64(START() won't work as expected.
uint256(Math.ceilDiv(end - uint64(START()), EPOCH_LENGTH()) - 1)
function START() public pure returns (uint256) { return _getArgUint256(61); //@audit returns uint256, therefore can overflow in uint(64) }
If value stored and get with _getArgUint256(61) is bigger than uint64, it will silently overflow, leading to wrong result
Manual Review
Use safeCast library for conversions that can overflow / underflow
#0 - Picodes
2023-01-26T15:41:31Z
Downgrading to QA as this would be a configuration error as it seems START is supposed to be a timestamp
#1 - c4-judge
2023-01-26T15:41:38Z
Picodes changed the severity to QA (Quality Assurance)
#2 - c4-judge
2023-01-26T15:41:43Z
Picodes marked the issue as grade-b