Fixed rewards may also be cut

2023-03-0900:00:00

Code4rena

github.com

rewards

vulnerability

packed

function

lotterysetup

decimal

16 bits

mitigation.

JSON

Lines of code

Vulnerability details

Impact

Fixed rewards may change when packed.

Proof of Concept

In LotterySetup.packFixedRewards

function packFixedRewards(uint256[] memory rewards) private view returns (uint256 packed) {
    if (rewards.length != (selectionSize) || rewards[0] != 0) {
        revert InvalidFixedRewardSetup();
    }
    uint256 divisor = 10 ** (IERC20Metadata(address(rewardToken)).decimals() - 1);
    for (uint8 winTier = 1; winTier &lt; selectionSize; ++winTier) {
        uint16 reward = uint16(rewards[winTier] / divisor);
        if ((rewards[winTier] % divisor) != 0) {
            revert InvalidFixedRewardSetup();
        }
        packed |= uint256(reward) &lt;&lt; (winTier * 16);
    }
}

there is no check that the fixed rewards are less than $6553.6$. The values are packed using 16 bits which means that any reward greater than 216 - 1 will be capped at L170. One decimal is used which means that 216 - 1 corresponds to $6553.5$.

Tools Used

Code inspection

Recommended Mitigation Steps

If $6553.5$ is considered sufficient as a maximal value, check that this is not exceeded.

The text was updated successfully, but these errors were encountered:

All reactions

JSON