Platform: Code4rena
Start Date: 07/06/2022
Pot Size: $75,000 USDC
Total HM: 11
Participants: 77
Period: 7 days
Judge: gzeon
Total Solo HM: 7
Id: 124
League: ETH
Rank: 50/77
Findings: 1
Award: $96.77
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: berndartmueller
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Bronicle, Chom, Cityscape, Deivitto, Funen, GimelSec, GreyArt, IllIllI, JC, Lambda, Meera, Nethermind, Picodes, PierrickGT, Ruhum, Sm4rty, Tadashi, TerrierLover, TomJ, Trumpero, Waze, _Adam, antonttc, ayeslick, c3phas, catchup, cccz, cloudjunky, cryptphi, csanuragjain, delfin454000, dipp, ellahi, fatherOfBlocks, hake, hansfriese, hyh, joestakey, jonah1005, kenzo, minhquanym, oyc_109, sach1r0, saian, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, z3s, zzzitron
96.7678 USDC - $96.77
In line L230 of the wfCashLogic contract, it states that the from address should receive the tokens. But, it's actually the user-specified opts.receiver address.
_safeNegInt88() conversion isn't really safeHere's the function: https://github.com/code-423n4/2022-06-notional-coop/blob/main/notional-wrapped-fcash/contracts/wfCashERC4626.sol#L243
function _safeNegInt88(uint256 x) private pure returns (int88) { int256 y = -int256(x); require(int256(type(int88).min) <= y); return int88(y); }
When converting an uint to an int you have to first check whether the uint value is larger than the max. int value, since int.max * 2 == uint.max
So the very first line can trigger an overflow.
I think the correct conversion should be:
require(uint256(type(int88).max) >= x); // check whether x is small enough to be an `int88` return int88(-int256(x)); // if it's small enough we can freely convert to `int256`, turn it into a negative value, and then turn it into an `int88`
But, the function doesn't seem to be used anywhere.