📄

Report #13438

Report Date
November 12, 2022
Status
Closed
Payout

An Arithmetic overflow issue in smart contract due to missing Substraction checks

Report Info

BIC Response

After some review, the BIC has determined that this is not a valid bug report because overflow is impossible in this case.

In Line 79 of Fertilizer.sol: stopBpf = min(endBpf, s.bpf)

  • endBpf is the Fertilizer Id
  • s.bpf is the input to __update(...) as bpf is set to IBS(owner()).beansPerFertilizer())

As endBpf is a constant and s.bpf is increasing, we can conclude that stopBpf is constant or strictly increasing.

In line 83: _balances[ids[i]][account].lastBpf = uint128(stopBpf);

As stopBpf for a given id is strictly constant or increasing and _balances[ids[i]][account].lastBpf is set to stopBpf the last time __update(...) was called, it can be concluded that:

  • _balances[ids[i]][account].lastBpf >= stopBpf.

Therefore it is impossible for overflow to occur in the statement: stopBpf - _balances[ids[i]][account].lastBpf

Due to these reasons, we are closing the submission and no reward will be issued.

Immunefi Response

Our finding is that the attack described in this bug report is impossible. This submission was correctly closed and no reward should be given.

TECHNICAL ASSESSMENT:

Here are some more specifics from our technical assessment of the mediation request. After thorough review our team concluded that it is impossible to achieve the overflow.

In the __update() the uint256 deltaBpf = stopBpf - _balances[ids[i]][account].lastBpf; is used to calculate beans value to be emitted in the ClaimFertilizer event. The lastBpf value was set based on the stopBpf value, and for the underflow to occur the stopBpf value must be smaller than the lastBpf value.

This condition is impossible to be met because the stopBpf can only increment overtime or constantly. Therefore the lastBpf value will always be lower than the stopBpf value and therefore, the underflow can't be reached.

Even though the you managed to make the deltaBpf value underflow, it still must go through (https://etherscan.io/address/0x39cdaf9dc6057fd7ae81aaed64d7a062aaf452fd/advanced#code#82) which has safety checks and will result in the reverted transaction.