Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential Vault Data Collision in Extreme Scenarios #80

Open
hats-bug-reporter bot opened this issue Jun 30, 2024 · 1 comment
Open

Potential Vault Data Collision in Extreme Scenarios #80

hats-bug-reporter bot opened this issue Jun 30, 2024 · 1 comment
Labels
bug Something isn't working invalid This doesn't seem right

Comments

@hats-bug-reporter
Copy link

Github username: --
Twitter username: --
Submission hash (on-chain): 0x45af594e37907786efc19eea5046d4b897518936ba6dc1ee0e011e4b1bfa26dd
Severity: medium

Description:
Description
In the EthMultiVault contract, the getCounterIdFromTriple function calculates the ID of a counter vault by subtracting the original vault ID from type(uint256).max. This approach works well for a reasonable number of vaults, but in an extreme scenario where the number of vaults exceeds uint256.max / 2, there's a theoretical risk of data collision between regular vaults and counter vaults.

Attack Scenario
While highly improbable in practice, the following scenario could theoretically occur:

  1. The contract continues to create new vaults until the vault ID exceeds uint256.max / 2.
  2. At this point, new vault IDs start to overlap with the counter IDs of existing vaults.
  3. This could lead to data corruption or unexpected behavior when interacting with these high-numbered vaults or their counters.

For example:

  1. Vault with ID 2^255 is created.
  2. Its counter vault ID would be 2^256 - 1 - 2^255, which equals 2^255 - 1.
  3. If a new vault is later created with ID 2^255 - 1, it would collide with the counter of the first vault.

Attachments

Intuition-0x538dbadc50cc87b281cd655f1edbc6ebda02a66a/src/EthMultiVault.sol

Lines 1354 to 1355 in b2e422f

function getCounterIdFromTriple(uint256 id) public pure returns (uint256) {
return type(uint256).max - id;

  1. Revised Code File (Optional)
contract EthMultiVault {
    mapping(uint256 => VaultState) public vaults;
    mapping(uint256 => VaultState) public counterVaults;

    function getCounterIdFromTriple(uint256 id) public pure returns (uint256) {
        require(id <= type(uint256).max / 2, "Invalid vault ID");
        return id;
    }

    function getVaultState(uint256 id, bool isCounter) public view returns (VaultState memory) {
        if (isCounter) {
            return counterVaults[id];
        } else {
            return vaults[id];
        }
    }

    // Other functions would need to be updated to use the new structure
}
@hats-bug-reporter hats-bug-reporter bot added the bug Something isn't working label Jun 30, 2024
@mihailo-maksa mihailo-maksa added the invalid This doesn't seem right label Jul 1, 2024
@mihailo-maksa
Copy link
Collaborator

The report suggests that there could be a theoretical risk of data collision between regular vaults and counter vaults in an extreme scenario where the number of vaults exceeds uint256.max / 2.

Label: invalid

Comment:
The described scenario is practically impossible. There have been fewer transactions on all blockchains combined since inception than the number of vaults that would need to be created to encounter the described extreme scenario causing vault data collisions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mihailo-maksa