Summary
In buy_policy(), contracts/policy-engine/src/lib.rs line 184 computes the premium as:
let premium = coverage_amount * product.premium_rate_bps as i128 / 10_000;
This intermediate multiplication coverage_amount * premium_rate_bps can overflow i128 for large coverage values.
Overflow Threshold
premium_rate_bps max = 10,000 (100%)
i128::MAX = 1.7 × 10^38
coverage_amount * 10_000 overflows when coverage_amount > i128::MAX / 10_000 ≈ 1.7 × 10^34
While USDC has 6 decimals (so 1 USDC = 1_000_000 stroops), and coverage_max is admin-controlled, there is no explicit cap in buy_policy that prevents coverage_amount from being set near i128 range. Additionally, for future multi-token support with 18-decimal tokens, the overflow threshold drops dramatically.
Code Path
// buy_policy line 177-178 — coverage_amount range check
if coverage_amount < product.coverage_min || coverage_amount > product.coverage_max {
panic_with_error!(&env, Error::CoverageOutOfRange);
}
// line 184 — unchecked multiply
let premium = coverage_amount * product.premium_rate_bps as i128 / 10_000;
If an admin sets coverage_max to a pathological value, or a bug in admin tooling results in a very large value being accepted, the multiplication silently wraps (in release mode) or panics (in debug).
Fix
Use checked_mul and return an error on overflow:
let premium = coverage_amount
.checked_mul(product.premium_rate_bps as i128)
.and_then(|v| v.checked_div(10_000))
.unwrap_or_else(|| panic_with_error!(&env, Error::Unauthorized));
Severity: Medium
Summary
In
buy_policy(),contracts/policy-engine/src/lib.rsline 184 computes the premium as:This intermediate multiplication
coverage_amount * premium_rate_bpscan overflowi128for large coverage values.Overflow Threshold
premium_rate_bpsmax = 10,000 (100%)i128::MAX= 1.7 × 10^38coverage_amount * 10_000overflows whencoverage_amount > i128::MAX / 10_000 ≈ 1.7 × 10^34While USDC has 6 decimals (so 1 USDC = 1_000_000 stroops), and
coverage_maxis admin-controlled, there is no explicit cap inbuy_policythat preventscoverage_amountfrom being set near i128 range. Additionally, for future multi-token support with 18-decimal tokens, the overflow threshold drops dramatically.Code Path
If an admin sets
coverage_maxto a pathological value, or a bug in admin tooling results in a very large value being accepted, the multiplication silently wraps (in release mode) or panics (in debug).Fix
Use
checked_muland return an error on overflow:Severity: Medium