The Hidden Dangers of Improper Mathematical Operations in Web3

In this article, we focus on DeFi vulnerabilities resulting from improper handling of mathematical operations in Solidity, specifically Arithmetic Underflow and Arithmetic Overflow; we will also provide recommended protection solutions against such vulnerabilities.

What are Overflow and Underflow?

Arithmetic overflow occurs when a program’s mathematical operation produces a value exceeding the maximum value the program can store as a binary format. In Solidity, there are 2 types of integers: The first is the unsigned integers (uint), storing non-negative values from 0 to (2256–1). The second is the signed integers (int), storing both positive and negative values ranging from -2255 to (2255–1). For instance, in Solidity, a smart contract with a 256-bit unsigned integer (uint256) can store values up to 2 ²⁵⁶ -1 (or in a longer version: 115,792,…639,935).

If a generated number exceeds these ranges an overflow will occur. Meaning that the code won’t be computed properly and circles back to zero. This feature can be exploited by repeatedly invoking the feature that increases the value. Since Solidity does not provide native overflow detection, it is important for developers to be aware of this issue and to ensure that their code takes these possible errors into account. In earlier Solidity versions (< 8.0), such calculations would wrap around. Meaning that ²²⁵⁶-1 + 1 = 0, causing a major Overflow vulnerability which didn’t went unnoticed by crypto attackers.

Arithmetic Overflow and Underflow hacks can occur when an operation is performed that requires a fixed-size variable to store the result of the operation.

The opposite of Arithmetic Overflow, is the Arithmetic Underflow. The letter occurs when a calculation produces a value too low to be stored in the data type associated with it. The result is that the calculation wraps around and begins from the next largest possible value. For example, if a contract’s balance reaches zero, calling a “decrease function” would cause the contract to produce ²²⁵⁶-1 as a result. Underflow attacks are simpler and thus are more common. These vulnerabilities are relatively easy to initiate and occur in transactions that accept unauthorized input data or value.

Vulnerabilities that leads to major attacks

As shown by the 2018 Beauty Chain hack, the Proof of Weak Hands hack, and the last hack on Poolz launchpad. These 2 famous hacks were a significant indication of hackers ``modos opperendy” when it comes to exploiting Overflow and Underflow vulnerabilities. In these attacks, hackers created a bypass check to understand where an Underflow transaction can be sent into the smart contract and create a loophole that enabled them to drain large amounts of tokens from these smart contracts.

How to avoid such attacks?

To prevent arithmetic underflow and overflow vulnerabilities, developers can utilize libraries such as SafeMath for functions that are performing arithmetic operations and thus check for integer overflow/underflow potential vulnerabilities. The procedure itself is super-easy and can prevent major risks along the way.

It is also recommended to compile contracts using Solidity 8.0 or later, as any calculations that result in overflow or underflow will automatically revert and throw an error, making contracts safer without needing to use custom logic or libraries.

As mentioned, in the most recent hacks that were analyzed, hackers were able to trick the vesting contract into believing that it is getting a deposit of a large amount of tokens, while actually depositing a tiny amount.

Regularly update your code and audit it all while working with an active defense system that monitors vulnerabilities and responds by shutting the protocol “Kill-switch”.

Detection and Responding systems

Ironblocks detection and respond system was tracking POOLZ protocol hack and was triggered in real-time when the hack began. Unfortunately, back at the time POOLZ team were not using our response services, as we could have triggered the protocol kill switch instantly. Ironblocks firewall system was able to stop this hack from taking place by stoping the protocol automatically.

Luckily, the Poolz hack ended with a “minor” damage of around $450K stolen. Things could have ended differently if the team was late to respond. With the Beauty Chain (BEC) coin hack, things were worse, as a security loophole from one line of code almost crashed the market value completely.

Recent hacks in the web3 industry have underscored the need for robust security measures. While taking audits into consideration an additional security layer is a a must have!

‍