Unsafe arithmetic in transfer handling

[kevin-valerio]

While performing a transfer, I encountered unsafe arithmetic in ext.rs, which can be triggered using the following PoC

PoC:

#[ink::contract]
mod poc {
    #[ink(storage)]
    pub struct Poc {
        value: bool,
    }

    impl Poc {
        #[ink(constructor)]
        #[ink(payable)]
        pub fn new(init_value: bool) -> Self {
            Self { value: init_value }
        }

        #[ink(message)]
        #[ink(payable)]
        pub fn deposit(&mut self) {
        }

        #[ink(message)]
        pub fn withdraw(&mut self, amount: u128) {
            let transfer = self.env().transfer(self.env().caller(), amount);
            let new_balance = self.env().balance();
        }
    }

    #[cfg(test)]
    mod tests {
        use super::*;
        #[ink::test]
        fn it_works() {
              let mut poc = Poc::new(false);
              ink::env::test::set_value_transferred::<ink::env::DefaultEnvironment>(10);
              poc.deposit(); 
              poc.withdraw(u128::MAX);
        }
    }
}

Output:

thread 'poc::tests::it_works' panicked at .cargo/registry/src/index.crates.io-6f17d22bba15001f/ink_engine-5.1.1/src/ext.rs:118:37:
attempt to subtract with overflow

I haven't been further on the exploitation phase, but I suspect that might be abused by an attacker if the contract is built in release mode, where it will overflow. In debug mode, it just panics like shown above.

Is that known from the team ? Any feedback or help to see if this is actually an issue is appreciated

[kevin-valerio]

Hi @cmichi / @ascjones, excuse me for the ping, but since it might be a security issue, I would be curious to have your take on this. Thank you!