Platform: Code4rena
Start Date: 06/09/2022
Pot Size: $90,000 USDC
Total HM: 33
Participants: 168
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 10
Id: 157
League: ETH
Rank: 55/168
Findings: 1
Award: $235.61
🌟 Selected for report: 0
🚀 Solo Findings: 0
A malicious actor can overflow his number of votes
delegate function to delegate the vote to KanetransferFrom to transfer his token to the address Alicedelegate function to delegate the vote to Mike(a new empty account)getVotes and Alice = 2, Kane =
6277101735386680763835789423207666416102355444464034512895 and Mike = 2Look in: prevTotalVotes - _amount
Review
I don't have more time, I discovered this bug close to the deadline, but I reccomend add this line before _writeCheckpoint
if (_amount > prevTotalVotes) _amount = prevTotalVotes;
I was only able to do some testing and I think it works, but I'm not entirely sure
#0 - GalloDaSballo
2022-09-19T20:51:32Z
This looks odd as it's unclear how you'd get to a scenario where you get exactly 6277101735386680763835789423207666416102355444464034512895 votes.
Without context, that number looks pretty random
#1 - rotcivegaf
2022-09-19T21:35:57Z
Well, in L216 when use unchecked give the possibility to under/overflow, the prevTotalVotes - _amount in point 3 goes underflow, the _amount it's greater than prevTotalVotes
The magic number of 6277101735386680763835789423207666416102355444464034512895 comes from the cast of the L252, when cast 2256 - 1 to uint192 obtains 2192 - 1 = 6277101735386680763835789423207666416102355444464034512895
Also this cast it's unsafe, but it should be impossible to get this gigantic number of votes
#2 - GalloDaSballo
2022-09-19T21:53:05Z
Well, in L216 when use unchecked give the possibility to under/overflow, the
prevTotalVotes - _amountin point 3 goes underflow, the_amountit's greater thanprevTotalVotesThe magic number of
6277101735386680763835789423207666416102355444464034512895comes from the cast of the L252, when cast 2256 - 1 to uint192 obtains 2192 - 1 =6277101735386680763835789423207666416102355444464034512895Also this cast it's unsafe, but it should be impossible to get this gigantic number of votes
I think it's unfair against other wardens for you to defend the report as I'm looking at it.
That said other submissions have shown how to achieve the same value, notice that this is an underflow not an overflow
#3 - rotcivegaf
2022-09-19T22:14:32Z
I take the overflow from OpenZeppelin contracts who separate in subtraction overflow and addition overflow
I'm read the +Backstage Warden Guidelines and I don't think I'm breaking any rules but if so, I apologize, I just wanted to say that it is not a simple random number and I know what I was talking about
#4 - GalloDaSballo
2022-09-19T22:32:37Z
I take the overflow from OpenZeppelin contracts who separate in subtraction overflow and addition overflow
I'm read the +Backstage Warden Guidelines and I don't think I'm breaking any rules but if so, I apologize, I just wanted to say that it is not a simple random number and I know what I was talking about
Thank you for the info, I believe other wardens have sent a more detailed submission but after spending more time I was to connect the dots
#5 - GalloDaSballo
2022-09-25T23:07:04Z
Dup of #469