Lines of code
<https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L272-L277&gt;

Vulnerability details

Impact

There are potential underflow and overflow issues in arithmetic operations. Not being able to verify that subtracting lastClaimedValue from shareData[_id].shareHolderRewardsPerTokenScaled would result in a negative value.

This could lead to affecting the Reward Calculation and Transfer that calculates the rewards earned by the user since the last claim using _getRewardsSinceLastClaim. And during updating of the rewardsLastClaimedValue for the user. The error could lead to wrong updating of the user’s token balance and the total tokens in circulation.

In these codes lines:

   uint256 rewardsSinceLastClaim = _getRewardsSinceLastClaim(_id);
    rewardsLastClaimedValue[_id][msg.sender] = shareData[_id].shareHolderRewardsPerTokenScaled;
    tokensByAddress[_id][msg.sender] += _amount;
    shareData[_id].tokensInCirculation += _amount;
    _burn(msg.sender, _id, _amount);

AND
function _getRewardsSinceLastClaim(uint256 _id) internal view returns (uint256 amount) {
uint256 lastClaimedValue = rewardsLastClaimedValue[_id][msg.sender];
amount =
((shareData[_id].shareHolderRewardsPerTokenScaled - lastClaimedValue) * tokensByAddress[_id][msg.sender]) /
1e18;
}

Proof of Concept

To guard against underflow issues in arithmetic operations, especially when subtracting values, you can use SafeMath or similar techniques. Here’s an example of how you can protect against underflow in the _getRewardsSinceLastClaim function:

// Use SafeMath.sub to protect against underflow
amount = shareData[_id].shareHolderRewardsPerTokenScaled.sub(lastClaimedValue).mul(tokensByAddress[_id][msg.sender]) / 1e18;
}

This ensures that if the subtraction would result in an underflow (i.e., if lastClaimedValue is greater than shareData[_id].shareHolderRewardsPerTokenScaled), it will revert with an error message.

Contract name:
<https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol&gt;

Code link:
<https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L232-L236&gt;

<https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L272-L277&gt;

Code lines:

    uint256 rewardsSinceLastClaim = _getRewardsSinceLastClaim(_id);
    rewardsLastClaimedValue[_id][msg.sender] = shareData[_id].shareHolderRewardsPerTokenScaled;
    tokensByAddress[_id][msg.sender] += _amount;
    shareData[_id].tokensInCirculation += _amount;
    _burn(msg.sender, _id, _amount);

AND

function _getRewardsSinceLastClaim(uint256 _id) internal view returns (uint256 amount) {
uint256 lastClaimedValue = rewardsLastClaimedValue[_id][msg.sender];
amount =
((shareData[_id].shareHolderRewardsPerTokenScaled - lastClaimedValue) * tokensByAddress[_id][msg.sender]) /
1e18;
}

Tools Used

Manual review

Recommended Mitigation Steps

Use the SafeMath library the sub and mul functions to prevent underflow.

If you’re using a recent version of Solidity (0.8.0 or later), you can leverage the built-in SafeMath library, which is automatically applied to arithmetic operations.

Assessed type

Math

---

The text was updated successfully, but these errors were encountered:

All reactions