🚀
Smart Contract Auditors Space
  • 👋Welcome to the Smart Contract Auditors Space
  • Smart Contract Vulnerabilities
    • Anchor
      • FV-ANC-1 Arithmetic Operations
        • FV-ANC-1-CL1 Overflow/underflow in arithmetic operations
        • FV-ANC-1-CL2 Division by zero
        • FV-ANC-1-CL3 Arbitrary rounding
      • FV-ANC-2 Signer Checks
        • FV-ANC-2-CL1 Unvalidated signers
        • FV-ANC-2-CL2 No is_signer check
      • FV-ANC-3 Account/Ownership Validations
        • FV-ANC-3-CL1 Trying to modify an account without checking if it's writeable
        • FV-ANC-3-CL2 Trying to access account data without ownership checks
        • FV-ANC-3-CL3 Usage of UncheckedAccount without manual ownership check
        • FV-ANC-3-CL4 Usage of UncheckedAccount without manual signer check
        • FV-ANC-3-CL5 No is_initialized check when operating on an account
        • FV-ANC-3-CL6 Missing account constraints
        • FV-ANC-3-CL7 Duplicate mutable accounts
        • FV-ANC-3-CL8 Using ctx.remaining_accounts without manual ownership check
        • FV-ANC-3-CL9 Using ctx.remaining_accounts without manual discriminator check
        • FV-ANC-3-CL10 Using ctx.remaining_accounts without non-zero data check
        • FV-ANC-3-CL11 No reload after account mutation
        • FV-ANC-3-CL12 Not validating a set address
      • FV-ANC-4 PDA Security
        • FV-ANC-4-CL1 Using create_program_address
      • FV-ANC-5 Cross-Program Invocation (CPI)
        • FV-ANC-5-CL1 Lack of validation of external program before CPI
        • FV-ANC-5-CL2 CPI without signer seeds
        • FV-ANC-5-CL3 Not unsetting signer status before a CPI
        • FV-ANC-5-CL4 Passing unnecessary accounts to CPIs
      • FV-ANC-6 Error Handling
        • FV-ANC-6-CL1 Unclear error messages
      • FV-ANC-7 Token Operations
        • FV-ANC-7-CL1 Unvalidated token mint & owner
        • FV-ANC-7-CL2 Using init with an ATA
      • FV-ANC-8 System Account Validation
        • FV-ANC-8-CL1 Unvalidated sysvar address
      • FV-ANC-9 Type Cosplay
        • FV-ANC-9-CL1 Not using discriminators to validate account types
        • FV-ANC-9-CL2 Account structures without discriminators
      • FV-ANC-10 Closing accounts
        • FV-ANC-10-CL1 Closing accounts without zeroing data & setting a closed discriminator
        • FV-ANC-10-CL2 Operations on accounts marked as closed
        • FV-ANC-10-CL3 Unintended closure by close constraint
    • Solidity
      • FV-SOL-1 Reentrancy
        • FV-SOL-1-C1 Single Function
        • FV-SOL-1-C2 Cross Function
        • FV-SOL-1-C3 Cross Contract
        • FV-SOL-1-C4 Cross Chain
        • FV-SOL-1-C5 Dynamic
        • FV-SOL-1-C6 Read-Only
      • FV-SOL-2 Precision Errors
        • FV-SOL-2-C1 Token Decimals
        • FV-SOL-2-C2 Floating Point
        • FV-SOL-2-C3 Rounding
        • FV-SOL-2-C4 Division by Zero
        • FV-SOL-2-C5 Time-Based
      • FV-SOL-3 Arithmetic Errors
        • FV-SOL-3-C1 Overflow and Underflow
        • FV-SOL-3-C2 Sign Extension
        • FV-SOL-3-C3 Truncation in Type Casting
        • FV-SOL-3-C4 Misuse of Environment Variables
      • FV-SOL-4 Bad Access Control
        • FV-SOL-4-C1 Using tx.origin for Authorization
        • FV-SOL-4-C2 Unrestricted Role Assignment
        • FV-SOL-4-C3 Lack of Multi-Signature for Crucial Operations
      • FV-SOL-5 Logic Errors
        • FV-SOL-5-C1 Boundary Misalignment
        • FV-SOL-5-C2 Incorrect Conditionals
        • FV-SOL-5-C3 Improper State Transitions
        • FV-SOL-5-C4 Misordered Calculations
        • FV-SOL-5-C5 Event Misreporting
      • FV-SOL-6 Unchecked Returns
        • FV-SOL-6-C1 Unchecked Call Return
        • FV-SOL-6-C2 Unchecked Transfer Return
        • FV-SOL-6-C3 Silent Fail
        • FV-SOL-6-C4 False Positive Success Assumption
        • FV-SOL-6-C5 Partial Execution with No Rollback
        • FV-SOL-6-C6 False Contract Existence Assumption
      • FV-SOL-7 Proxy Insecurities
        • FV-SOL-7-C1 delegatecall Storage Collision
        • FV-SOL-7-C2 Function Selector Collision
        • FV-SOL-7-C3 Centralized Update Control
        • FV-SOL-7-C4 Uninitialized Proxy
      • FV-SOL-8 Slippage
        • FV-SOL-8-C1 Price Manipulation
        • FV-SOL-8-C2 Front-Running
        • FV-SOL-8-C3 Insufficient Liquidity
        • FV-SOL-8-C4 Unexpected Gas Increase
      • FV-SOL-9 Unbounded Loops
        • FV-SOL-9-C1 Dynamic Array
        • FV-SOL-9-C2 Unrestricted Mapping
        • FV-SOL-9-C3 Recursive Calls
        • FV-SOL-9-C4 Reentrancy Loops
        • FV-SOL-9-C5 Nested Loops
      • FV-SOL-10 Oracle Manipulation
        • FV-SOL-10-C1 Incorrect Compounding Mechanism
        • FV-SOL-10-C2 Price Drift
        • FV-SOL-10-C3 Manipulation Through External Markets
        • FV-SOL-10-C4 Time Lags
Powered by GitBook
On this page
  • TLDR
  • Code
  • Classifications
  • Mitigation Patterns
  • State Machine Design (FV-SOL-5-M1)
  • Fail-Safe Defaults (FV-SOL-5-M2)
  • Unit Testing on Edge Cases (FV-SOL-5-M3)
  • Actual Occurrences
  • Content

Was this helpful?

  1. Smart Contract Vulnerabilities
  2. Solidity

FV-SOL-5 Logic Errors

TLDR

Logic errors arise from mistakes in the program’s control flow or conditional statements.

These errors usually occur when the code’s behavior deviates from its intended purpose, not because of a flaw in the underlying arithmetic but due to a conceptual mistake in implementing rules or boundaries.

Code

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract VulnerableMarket {
    uint256 constant BLOCK_EPOCH = 100000;
    mapping(uint256 => uint256) public cantoPerBlock; // Reward rates by epoch
    struct MarketInfo {
        uint256 lastRewardBlock;
        uint256 accCantoPerShare;
    }
    mapping(address => MarketInfo) public marketInfo;

    constructor() {
        cantoPerBlock[0] = 100;       // Reward for epoch 0-99999
        cantoPerBlock[BLOCK_EPOCH] = 0; // No reward for epoch 100000+
    }

    function update_market(address _market) public {
        MarketInfo storage market = marketInfo[_market];
        if (block.number > market.lastRewardBlock) {
            uint256 i = market.lastRewardBlock;
            while (i < block.number) {
                uint256 epoch = (i / BLOCK_EPOCH) * BLOCK_EPOCH;
                // Incorrect: should be `epoch + BLOCK_EPOCH`
                // Adding BLOCK_EPOCH to i only creates a fixed offset from i. It moves i forward by 100,000 blocks from whatever its current position is. However, this new position could land anywhere within an epoch and will not necessarily align with the start of the next epoch boundary
                uint256 nextEpoch = i + BLOCK_EPOCH; 
                uint256 blockDelta = min(nextEpoch, block.number) - i;

                // Incorrect reward calculation across epochs
                market.accCantoPerShare += blockDelta * cantoPerBlock[epoch];
                i += blockDelta;
            }
            market.lastRewardBlock = block.number;
        }
    }

    function min(uint256 a, uint256 b) internal pure returns (uint256) {
        return a < b ? a : b;
    }
}

Classifications

FV-SOL-5-C1 Boundary Misalignment

FV-SOL-5-C2 Incorrect Conditionals

FV-SOL-5-C3 Improper State Transitions

FV-SOL-5-C4 Misordered Calculations

FV-SOL-5-C5 Event Misreporting

Mitigation Patterns

State Machine Design (FV-SOL-5-M1)

The State Machine Design mitigation pattern is a robust approach for managing complex workflows or processes with defined states

Fail-Safe Defaults (FV-SOL-5-M2)

Use safe defaults in case of unexpected conditions or edge cases

Unit Testing on Edge Cases (FV-SOL-5-M3)

Implement exhaustive tests for each function, focusing on boundary values, extreme inputs, and edge cases

Actual Occurrences

Content

PreviousFV-SOL-4-C3 Lack of Multi-Signature for Crucial OperationsNextFV-SOL-5-C1 Boundary Misalignment

Last updated 6 months ago

Was this helpful?

https://solodit.cyfrin.io/issues/h-02-eth-gets-locked-in-the-groupcoinfactory-contract-pashov-audit-group-none-groupcoin-markdown
https://www.linkedin.com/pulse/state-machine-design-pattern-insolidity-luis-soares-m-sc-/
Page cover image