F-2024-0002·integer-overflow
Inconsistent amount type in withdraw function
TL;DR
withdraw declares amount as uint256 but the value is handled as uint128 on the NEAR side, creating an integer-overflow risk if the supplied amount exceeds type(uint128).max.
Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description
Description
In the provided code snippet, the withdraw function of the contract takes an amount parameter of type uint256. However, upon further analysis, it appears that the amount is being handled as uint128 in other parts of the contract.
Solidity Part:
solidity
function withdraw(string memory token,uint256 amount,string memory recipient) external whenNotPaused(PAUSED_WITHDRAW) {_checkWhitelistedToken(token, msg.sender);require(_isBridgeToken[_nearToEthToken[token]], "ERR_NOT_BRIDGE_TOKEN");address tokenEthAddress = _nearToEthToken[token];BridgeToken(tokenEthAddress).burn(msg.sender, amount);emit Withdraw(token, msg.sender, amount, recipient, tokenEthAddress);}
Near Side (Rust):
rust
#[near_bindgen]impl FungibleTokenReceiver for Contract {/// Callback on receiving tokens by this contract./// msg: `Ethereum` address to receive the tokens on.#[pause(except(roles(Role::DAO, Role::UnrestrictedDeposit)))]fn ft_on_transfer(&mut self,sender_id: AccountId,amount: U128,msg: String,) -> PromiseOrValue<U128> {self.check_whitelist_token(env::predecessor_account_id(), sender_id);let eth_address = validate_eth_address(msg);ext_self::ext(env::current_account_id()).with_static_gas(FT_FINISH_DEPOSIT_GAS).finish_deposit(env::predecessor_account_id(), amount.0, eth_address);PromiseOrValue::Value(U128(0))}}
03Section · Impact
Impact
If the amount is intended to be uint128 but is declared as uint256, there is a risk of integer overflow. If the amount value exceeds the maximum value that can be represented by uint128, it will overflow.
04Section · Recommendation
Recommendation
Modify the function signature to:
solidity
function withdraw(string memory token, uint128 amount, string memory recipient)externalwhenNotPaused(PAUSED_WITHDRAW);
05Section · Resolution
Resolution
Resolved.
Status
Fixed