fix: resolve arithmetic overflow in capture.rs

[DyT9qC]

Hi Metaplex Team,

I discovered a potential arithmetic overflow issue in the capture.rs file. This issue can occur in the following code line:

mpl-hybrid/programs/mpl-hybrid/src/instructions/capture.rs

Lines 139 to 140 in 6376558

	let seed = u64::from_le_bytes(*most_recent).saturating_sub(clock.unix_timestamp as u64)
	* escrow.count;

When a uint64 type variable is multiplied by another uint64 value, the result may exceed the maximum value of the uint64 type, causing a program panic. The overflow can cause transactions that enable on-chain metadata updates for collections to fail during the execution of the capture_v1 function. Here's a detailed reproduction of the issue:

• code

    let timestamp = clock.unix_timestamp as u64;
    msg!("timestamp: {}", timestamp);
    let recent_bytes = u64::from_le_bytes(*most_recent);
    msg!("recent_bytes: {}", recent_bytes);
    let subtracted_value=recent_bytes.saturating_sub(timestamp);
    msg!("subtracted_value: {}", subtracted_value);
    msg!("escrow.count: {}", escrow.count);
    let seed = subtracted_value * escrow.count;
    msg!("seed: {}", seed);

• tx

https://explorer.solana.com/tx/2cgKF1g5mCjgxkfPYRvi26Qqw4z9zRmx3ybA5WUfywGYZZzG4UWXz6VufNPdzFvfrZDyFgUWfKmFG43Ke1bdWNm?cluster=devnet

• logs

To resolve this issue, the best approach is to remove "* escrow.count". This fix ensures the arithmetic operation remains within safe bounds, preventing potential crashes.

Regarding the Bounty Program, I noticed there is no specific mention of a reward for bugs related to mpl-hybrid. If there is a bounty available for this fix, please send the reward to the following Solana address: 72SebYpPzemzf4h7g52dgCc4awKgmHnoRmn8PLpP8MaK.

Thank you for your attention to this matter.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
mpl-hybrid-js-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 18, 2024 0:57am