Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Palmy Finance>High findings>The locked amount is truncated to ,int128, in the ,_depositFor, function
GeneralOverview
Findings
High (5)Stale prices from oracleZero price from the fallback oracleSuspending a token does not clear the variableThe locked amount is truncated to `int128`An interest portion of collected fees are locked
Medium (3)
Low (1)
Informational (2)
DiscussionTest suiteOracle risksUnused codeTypos
Threat ModelWhat are threat models?FeeDistributor.solLeverager.solVoter.solVotingEscrow.sol
Audit ResultsSummary
Category: Coding Mistakes

The locked amount is truncated to int128 in the _depositFor function

High Severity
Medium Impact
Low Likelihood

Description

The _depositFor function handles creating a new lock, extending the period of the lock and depositing to the lock.

function _depositFor(
	uint256 _lockerId,
	uint256 _value,
	uint256 unlockTime,
	LockedBalance memory lockedBalance,
	DepositType _depositType
) internal {
    // ...
	if (_value != 0) {
		_locked.amount += int128(int256(_value));
		supply = supplyBefore + _value;
	}
    // ...
    address from = msg.sender;
	if (_value != 0) {
		require(
			IERC20(token).transferFrom(from, address(this), _value),
			"fail to .transferFrom when ._depositFor"
		);
	}
    // ...
}

If the _value is nonzero, the locked amount of the lock increases and the token is transferred from the msg.sender. However, the _value is truncated to the int128 type when the locked amount increases.

Impact

If a user tries to deposit the amount more than , this function will lock up the tokens from the user or revert.

Recommendations

Consider confirming that the given amount does not overflow in the _depositFor function.

Remediation

This issue has been acknowledged by Familia Labs Ltd., and a fix was implemented in commit f91f7386.

Zellic © 2025Back to top ↑