Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ABDKMath64x64.sol is used in circles codebase which has a known issue #121

Open
hats-bug-reporter bot opened this issue Sep 19, 2024 · 2 comments
Open

ABDKMath64x64.sol is used in circles codebase which has a known issue #121

hats-bug-reporter bot opened this issue Sep 19, 2024 · 2 comments
Labels
bug Something isn't working Invalid - Well-Written Submission

Comments

@hats-bug-reporter
Copy link

Github username: --
Twitter username: --
Submission hash (on-chain): 0xe7aedbcf4ab85e583ab1310f04140fd8111235d988251c4f47e6fbdc01c3c0f9
Severity: low

Description:
Description
the vulnerability exists below in the ABDKMath64 library in the divuu function

function divuu (uint256 x, uint256 y) private pure returns (uint128) {
    unchecked {
      require (y != 0);

      uint256 result;

      if (x <= 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF)
        result = (x << 64) / y;//@audit
      else {
        uint256 msb = 192;
        uint256 xc = x >> 192;
        if (xc >= 0x100000000) { xc >>= 32; msb += 32; }
        if (xc >= 0x10000) { xc >>= 16; msb += 16; }
        if (xc >= 0x100) { xc >>= 8; msb += 8; }
        if (xc >= 0x10) { xc >>= 4; msb += 4; }
        if (xc >= 0x4) { xc >>= 2; msb += 2; }
        if (xc >= 0x2) msb += 1;  // No need to shift xc anymore

        result = (x << 255 - msb) / ((y - 1 >> msb - 191) + 1);//@audit- precision loss then it is multiplied below
        require (result <= 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF);

        uint256 hi = result * (y >> 128);
        uint256 lo = result * (y & 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF);//@audit

        uint256 xh = x >> 192;
        uint256 xl = x << 64;

        if (xl < lo) xh -= 1;
        xl -= lo; // We rely on overflow behavior here
        lo = hi << 128;
        if (xl < lo) xh -= 1;
        xl -= lo; // We rely on overflow behavior here

        result += xh == hi >> 128 ? xl / y : 1;
      }

      require (result <= 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF);
      return uint128 (result);
    }
  }
result = (x << 255 - msb) / ((y - 1 >> msb - 191) + 1);//@audit-precision loss
 uint256 hi = result * (y >> 128);
        uint256 lo = result * (y & 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF);

i am submitting this issue as low as this function is not particularly used in the codebase,but may cause problems in the future if implemented

below is the same issue found in the mimo contest on Code4rena

code-423n4/2022-04-mimo-findings#151

Attack Scenario\

Attachments

  1. Proof of Concept (PoC) File
  1. Revised Code File (Optional)
@hats-bug-reporter hats-bug-reporter bot added the bug Something isn't working label Sep 19, 2024
@batmanBinary
Copy link

let me know,if you need anything more on this issue.

@benjaminbollen
Copy link
Collaborator

thanks for referring the other competition. We use the latest version of the library, and indeed don't touch on this function.

If this issue is indeed asserted (I am not able to evaluate at first sight whether this would be a rounding error in the least significant digits or not); in either case, I would recommend this is claimed as an issue on the repository itself for the authors to evaluate.

Thanks for making us aware though!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Invalid - Well-Written Submission
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@benjaminbollen @batmanBinary