Skip to content

Latest commit

 

History

History
78 lines (57 loc) · 3.19 KB

058.md

File metadata and controls

78 lines (57 loc) · 3.19 KB

Massive Crimson Cougar

Medium

Incorrect use of bitwise operations masks and shifts can lead to misconfigurations

Bitmask Manipulation

https://github.com/sherlock-audit/2025-01-aave-v3-3/blob/main/aave-v3-origin/src/contracts/protocol/libraries/configuration/ReserveConfiguration.sol#L99-L102

https://github.com/sherlock-audit/2025-01-aave-v3-3/blob/main/aave-v3-origin/src/contracts/protocol/libraries/configuration/ReserveConfiguration.sol#L153

Impact: Incorrect use of bitwise operations masks and shifts can lead to misconfigurations, overwriting unrelated fields in the ReserveConfiguration bitmap, and potentially destabilizing the protocol.

Details:

Description:

The ReserveConfiguration library uses bitwise operations to pack multiple configuration parameters into a single uint256 value self.data. Each parameter is represented by a specific range of bits, isolated using predefined masks and shift positions. Improper use of these masks and positions can result in:

  1. Overwriting unrelated bits, corrupting reserve configurations.
  2. Reading invalid data due to an incorrect mask or shift.
  3. Logical errors during parameter updates, leading to unexpected behaviour.

Impact:

Bitmask manipulation errors could:

  • Cause the contract to operate with incorrect reserve parameters, affecting liquidation thresholds, caps, or flags.
  • Create unintended borrowing or freezing behaviour, potentially locking user funds or enabling unauthorized actions.
  • Lead to cascading failures in other parts of the protocol reliant on these configurations.

Proof of Concept (PoC):

Example of Bitmask Misuse:

uint256 incorrectMask = ReserveConfiguration.LTV_MASK << 4; // Incorrect shift
self.data = (self.data & ~incorrectMask) | (newLtv << 20);

In this example:

1. An incorrect shift (<< 4) creates a misaligned mask.
2. This overwrites unrelated fields in self.data, corrupting the reserve's configuration.

Impact in a Live Scenario: If the setLtv function is misused:

  1. It could inadvertently overwrite the Liquidation Threshold or Borrowing Enabled bits, making the reserve unusable.
  2. A misconfiguration may allow users to borrow more than allowed, leading to insolvency risk.

Recommended Mitigation:

Assertions for Mask Validation:

  • Include runtime checks to validate masks and shifts during development. For instance: 
    require((mask & ~mask) == 0, "Invalid mask");
require((shiftedMask & LTV_MASK) == 0, "Overlapping masks");

Code Example for Mask Validation:

Setter Example:

function setLtv(DataTypes.ReserveConfigurationMap memory self, uint256 ltv) internal pure {
    require(ltv <= MAX_VALID_LTV, Errors.INVALID_LTV);

    uint256 clearedData = self.data & ~LTV_MASK; // Clear LTV bits
    uint256 updatedData = clearedData | ltv;    // Set new LTV

    require((updatedData & ~LTV_MASK) == (self.data & ~LTV_MASK), "Unrelated fields overwritten");

    self.data = updatedData;
}

Mask Generator Example:

function createMask(uint256 startBit, uint256 bitLength) internal pure returns (uint256) {
    return ((1 << bitLength) - 1) << startBit;
}