Intro to Smart Contract Security Audits | Overflow

let’s take a look at what an overflow is:

There are two types of Flow, Overflow, and Underflow. The so-called overflow refers to the fact that when a single numerical calculation is run, the result of the calculation is greater than the capacity limit that the register or memory can store or represent. For example, in Solidity, the range that uint8 can represent is 256 numbers from 0 to 255. When the uint8 type is used to calculate 255 + 1 in the actual operation, an overflow will occur, so the calculated result is 0, the minimum value that the uint8 type can represent. Similarly, underflow is when the calculation result is minimal, less than the capacity limit that the register or memory can store or represent. For example, in Solidity, when the uint8 type is used to calculate 0–1, it will produce underflow, so the computed value is 255, which is the maximum value that the uint8 type can represent.

Example

After reading about Overflows, let’s take a look at an example with codes:

Vulnerability analysis

We can see that the TimeLock contract acts as a time vault. Users can deposit and lock funds into the contract through the deposit function to be locked for at least one week. Of course, the user can still increase the storage time through the increaseLockTime function. The user cannot withdraw the tokens locked in the TimeLock contract before the set storage period expires.

Repair suggestions

Now that we understand overflow vulnerabilities better, we can learn how to protect against them. We will learn how to prevent overflow vulnerabilities and quickly spot them from the perspective of developers and auditors:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SlowMist

SlowMist

1.6K Followers

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.