Light
DarkOne Bug Per Day
One H/M every day from top Wardens
Join over 1125 wardens!
Receive the email at any hour!
Silent overflow could alter computation when calculating the vaultPortion in the PrizePool contract
mediumLines of code
Vulnerability details
Impact
- If an overflow happens, the computed value of the vault portion will be a totally different value than what should really be, which would end up causing the rewards to disburse to be lower for the draw that was used to compute the vault portion.
Note:
Even though the bot reported issues about downcasting variables, it didn't mention this specific unsafe casting, which if an overflow occurs could cause a huge impact on the calculation of the vault portions.
Proof of Concept
-
When computing the vaultPortion to the PrizePool over a specific duration in draw, the values of the
vaultContributed&totalContributedvariables are computed on the DrawAccumulatorLib library, and they are computed and returned asuint256values. -
The issue is that in the
PrizePool::_getVaultPortion()thevaultContributed&totalContributedvariables are unsafely casted from uint256 to int256, which could lead to a silent overflow if any of the two original values don't fit on anint256- As a result of a silent overflow, the computed value of the vault portion will be a totally different value than what should really be, which would end up causing the rewards to disburse to be lower for the draw that was used to compute the vault portion.
Tools Used
Manual Audit
Recommended Mitigation Steps
- Make sure to implement a safe cast that checks if overflows occur to prevent computing a totally different value than what it should really be.
- Use OZ safeCast library for this type of operation.
Assessed type
Under/Overflow