The function getDeploymentBlock() in the Holographer contract returns an incorrect data type
#107
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
duplicate
This issue or pull request already exists
edited-by-warden
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
responded
The Holograph team has reviewed and responded
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
2 (Med Risk)
gzeoneth
added
sponsor confirmed
|
The value is correct but the type is wrong, I think is low risk. |
|
Valid, but low risk. Type issue will be addressed |
ACC01ADE
added
responded
gzeoneth
added
QA (Quality Assurance)
|
As QA report |
53 tasks
|
Consider with #113 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/enforcer/Holographer.sol#L174
Vulnerability details
Impact
The function
getDeploymentBlock()present in theHolographercontract returns anaddress, while everything indicates that the underlying value holds auint256that represents a block number, and even the function is named after that. This is caused because the contract uses unstructured storage and the slot value is sloaded directly into anaddresstype, and could make integrations with this code fail, or even truncate the returned value since the address type is 20 bytes long.The error is also present in the interface
HolographerInterface.Recommendation
The return type in the contract and interface should be changed to
uint256.The text was updated successfully, but these errors were encountered: