Lines of code
<https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L272-L277>
There are potential underflow and overflow issues in arithmetic operations. Not being able to verify that subtracting lastClaimedValue from shareData[_id].shareHolderRewardsPerTokenScaled would result in a negative value.
This could lead to affecting the Reward Calculation and Transfer that calculates the rewards earned by the user since the last claim using _getRewardsSinceLastClaim. And during updating of the rewardsLastClaimedValue for the user. The error could lead to wrong updating of the userβs token balance and the total tokens in circulation.
In these codes lines:
uint256 rewardsSinceLastClaim = _getRewardsSinceLastClaim(_id);
rewardsLastClaimedValue[_id][msg.sender] = shareData[_id].shareHolderRewardsPerTokenScaled;
tokensByAddress[_id][msg.sender] += _amount;
shareData[_id].tokensInCirculation += _amount;
_burn(msg.sender, _id, _amount);
AND
function _getRewardsSinceLastClaim(uint256 _id) internal view returns (uint256 amount) {
uint256 lastClaimedValue = rewardsLastClaimedValue[_id][msg.sender];
amount =
((shareData[_id].shareHolderRewardsPerTokenScaled - lastClaimedValue) * tokensByAddress[_id][msg.sender]) /
1e18;
}
To guard against underflow issues in arithmetic operations, especially when subtracting values, you can use SafeMath or similar techniques. Hereβs an example of how you can protect against underflow in the _getRewardsSinceLastClaim function:
// Use SafeMath.sub to protect against underflow
amount = shareData[_id].shareHolderRewardsPerTokenScaled.sub(lastClaimedValue).mul(tokensByAddress[_id][msg.sender]) / 1e18;
}
This ensures that if the subtraction would result in an underflow (i.e., if lastClaimedValue is greater than shareData[_id].shareHolderRewardsPerTokenScaled), it will revert with an error message.
Contract name:
<https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol>
Code lines:
uint256 rewardsSinceLastClaim = _getRewardsSinceLastClaim(_id);
rewardsLastClaimedValue[_id][msg.sender] = shareData[_id].shareHolderRewardsPerTokenScaled;
tokensByAddress[_id][msg.sender] += _amount;
shareData[_id].tokensInCirculation += _amount;
_burn(msg.sender, _id, _amount);
AND
function _getRewardsSinceLastClaim(uint256 _id) internal view returns (uint256 amount) {
uint256 lastClaimedValue = rewardsLastClaimedValue[_id][msg.sender];
amount =
((shareData[_id].shareHolderRewardsPerTokenScaled - lastClaimedValue) * tokensByAddress[_id][msg.sender]) /
1e18;
}
Manual review
Use the SafeMath library the sub and mul functions to prevent underflow.
If youβre using a recent version of Solidity (0.8.0 or later), you can leverage the built-in SafeMath library, which is automatically applied to arithmetic operations.
Math
The text was updated successfully, but these errors were encountered:
All reactions