Platform: Code4rena
Start Date: 07/04/2023
Pot Size: $47,000 USDC
Total HM: 20
Participants: 120
Period: 6 days
Judge: GalloDaSballo
Total Solo HM: 4
Id: 230
League: ETH
Rank: 84/120
Findings: 1
Award: $23.08
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: sashik_eth
Also found by: 0x4non, 0x6980, 0xAgro, Cryptor, Kaysoft, Kenshin, Madalad, SaeedAlipoor01988, Sathish9098, W0RR1O, adriro, ayden, btk, catellatech, codeslide, devscrooge, georgits, giovannidisiena, lukris02, matrix_0wl, sayan, tnevler, tsvetanovv
23.0813 USDC - $23.08
https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L230 https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L231
Check PoC please.
It casts netInputAmount - feeAmount - protocolFeeAmount, which is a uint256, to a uint128. If netInputAmount - feeAmount - protocolFeeAmount is larger than 2 ** 128 - 1, the unsafe cast will only keep its rightmost bits, causing the result to be much smaller.
// update the virtual reserves virtualBaseTokenReserves += uint128(netInputAmount - feeAmount - protocolFeeAmount); virtualNftReserves -= uint128(weightSum);
The same is happening for weightSum,
// calculate the sum of weights of the NFTs to buy uint256 weightSum = sumWeightsAndValidateProof(tokenIds, tokenWeights, proof);
If sumWeightsAndValidateProof(tokenIds, tokenWeights, proof) is larger than 2 ** 128 - 1, the unsafe cast will only keep its rightmost bits.
Manually
use OpenZeppelin’s SafeCast library when casting from uint256 to uint128.
#0 - c4-pre-sort
2023-04-20T18:04:57Z
0xSorryNotSorry marked the issue as duplicate of #625
#1 - c4-judge
2023-04-27T08:54:15Z
GalloDaSballo marked the issue as duplicate of #167
#2 - c4-judge
2023-05-02T07:55:16Z
GalloDaSballo changed the severity to 3 (High Risk)
#3 - c4-judge
2023-05-02T07:56:09Z
GalloDaSballo marked the issue as satisfactory