Maia DAO - Ulysses - Myd's results

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgent.sol#L966-L978 https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgent.sol#L1045-L1064

Vulnerability details

Impact

The _createSettlement and _createSettlementMultiple functions increment the settlementNonce state variable using a simple addition. This can cause an integer overflow when the nonce reaches the maximum uint32 value.

• Will result in nonce resetting from very high values to 0.
• Can lead to nonce collisions between settlements.
• Causes errors and failures in settlement handling.

Proof of Concept

The settlement nonce increment in _createSettlement is done using a simple increment. This could overflow eventually. https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgent.sol#L966-L978

The settlement nonce increment in _createSettlementMultiple is done using a simple increment. This could overflow eventually. https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgent.sol#L1045-L1064

The nonce increment logic occurs at these lines:

// RootBridgeAgent.sol

function _createSettlement(...) internal returns (bytes memory) {

  // ...

  // Issue is here:
  settlementNonce = settlementNonce + 1;

  // ...

}

function _createSettlementMultiple(...) internal returns (bytes memory) {
  
  // ...

  // Issue is also here:
  settlementNonce = settlementNonce + 1;  

  // ...

}

The settlementNonce is incremented using a simple addition.

This could eventually overflow, especially if the contract is long-lived.

A more in-depth of how the settlement nonce increment can overflow.

The nonce increment logic:

uint32 public settlementNonce;

function _createSettlement

function _createSettlement() internal {
  // Increment 
  settlementNonce = settlementNonce + 1; 
}

The settlementNonce variable is a uint32.

This means it can hold values between 0 and 2^32 - 1.

When it reaches the max value 2^32 - 1, incrementing will overflow.

• For example:

  • If settlementNonce is 4294967295 (2^32 - 1)

  • settlementNonce + 1 overflows to 0

Proof of overflow:

Let's assume settlementNonce = 4294967295  (2^32 - 1)

settlementNonce + 1 

= 4294967295 + 1
= 4294967296

But uint32 can only hold values up to 2^32 - 1.

So 4294967296 overflows and loops back to 0.

Impact of overflow:

• This causes the nonce to reset from very high values to 0.

• Could result in nonce collisions.

• Two settlements end up with the same nonce, leading to errors.

Tools Used

Manual Inspection

Recommended Mitigation Steps

A better approach would be to use the SafeMath library's add function:

settlementNonce = settlementNonce.add(1); 

This prevents overflow issues.

Assessed type

Under/Overflow