Integer Overflow & Underflow Threat Explained
Source: The Top 10 Most Threatening Vulnerabilities in Web3 Protocols: #10 Integer Overflow/Underflow
Integer overflow and underflow remain critical vulnerabilities in Web3 protocols. They occur when calculations produce results too large or too small to fit into a fixed-size storage slot, leading to corrupted states, halted executions, or disrupted incentives.
Why Integer Overflow/Underflow Matters
Smart contracts extensively use fixed-width integers for essential operations like balance tracking, pricing, and protocol parameters. When arithmetic goes beyond these fixed limits:
- Token supplies can inflate unexpectedly
- Balances may vanish
- Key transaction logic can break or revert
This threat undermines the fundamental trust and reliability of any DeFi protocol.
Prevalence in Web3
According to Sherlock’s audit data, roughly 1 in 160 vulnerabilities involve integer overflow or underflow. These issues often arise when:
- Developers use old Solidity versions without built-in safety.
- “Unchecked” blocks are employed to save gas.
- Unsafe type casting or math operations are involved.
Variants of Overflow/Underflow Vulnerabilities
1. Arithmetic Wraparound: Pre-Solidity 0.8 code wraps values silently beyond bounds.
2. Unchecked Arithmetic: Using the `unchecked` keyword disables safe checks.
3. Type Casting Errors: Unsafe conversions between integer types cause invalid results.
4. Intermediate Overflow: Large intermediate calculations overflow before final results fit.
Real-world Impacts
When these vulnerabilities occur, they tend to:
- Compromise data integrity
- Inflate token supply or erase balances
- Cause transaction failures
- Distort pricing and reward structures
These effects threaten both system consistency and user trust.
Examples from Sherlock Audits
- Sophon Farming: Overflow risks in reward computations threatened payout consistency.
- Symmetrical Protocol: Underflow bugs disrupted liquidations.
- PoolTogether: Missing indices caused underflows during vault calculations, triggering settlement failures.
Historic Exploit Cases
- BatchOverflow (2018): Attackers exploited batchTransfer overflow to mint unlimited tokens, forcing exchanges to suspend deposits.
- Yam Finance (2020): A rebase bug inflated tokens, breaking governance and locking $750K in treasury funds.
Best Practices to Prevent Overflow and Underflow
✅ Use Solidity 0.8+, which reverts on overflow/underflow by default.
✅ Avoid or carefully audit the usage of `unchecked` blocks to ensure boundaries are formally proven.
✅ Rely on trusted math libraries like SafeCast, Math.mulDiv, or Uniswap’s FullMath to handle edge cases safely.
✅ Implement rigorous testing, including fuzzing and property-based tests, to validate behavior under extreme values, not just average cases.
Maintaining precise and safe arithmetic is not just an optimization-it’s a core pillar of trustworthy DeFi protocols. Ignoring it opens the door to silent, damaging failures that can break entire systems.
