Understanding Overflow and Underflow Vulnerabilities in Smart Contracts
As blockchain technology powers everything from DeFi platforms to NFT marketplaces, smart contracts have become the backbone of trustless systems. However, writing secure smart contracts is no small feat. Among the many vulnerabilities developers must guard against, overflow and underflow issues stand out as subtle yet potentially catastrophic ones.
While these terms might sound like something from a computer science textbook, understanding these issues is critical to building secure and reliable smart contracts. In this article, we’ll break down what overflow and underflow issues are, why they matter in smart contract development and audit, and how developers can mitigate them.
What are overflow / underflow issues?
To understand overflow and underflow, let’s start with a quick refresher on how computers handle numbers. In programming, variables are assigned specific data types that dictate how much space they occupy in memory. For example, in Solidity an unsigned integer (uint256) can store values from 0 to 2^256–1 (a massive but still finite number). If an operation tries to push the value beyond this range, an overflow occurs, and the value wraps around to 0. Similarly, if a value drops below 0 for an unsigned integer, an underflow occurs, wrapping the value to the maximum (2^256- 1).
Overflow error
An overflow occurs when a calculation exceeds the max value a data type can hold, causing the value to “wrap around” to the min value, and function doesn’t handle the excess correctly.
Imagine a car odometer with only three digits. If it hits 999 miles and you drive one more mile, it rolls over to 000. That’s an overflow.
Underflow error
On the flip side, an underflow happens when a calculation goes below the min value, wrapping around to the max value. In smart contracts, this might happen if a function subtracts more than the current value can handle.
In the car odometer example above, if you somehow drive “backward” from 000, it might jump to 999 — that’s what an underflow is.
Why are overflow / underflow issues critical in smart contracts?
Smart contracts often handle valuable assets, such as cryptocurrencies or tokenized assets and operate in a trustless environment. A single bug can lead to exploits, draining funds or breaking functionality. An overflow or underflow error can lead to unintended consequences, such as:
- Balances manipulation: An attacker could exploit an overflow to artificially inflate their token balance or drain someone else’s.
- Security checks bypassing: Underflows might allow unauthorized actions, like withdrawing more funds than permitted.
- Financial exploits: Attackers can manipulate calculations to steal funds. For example, an underflow in a token transfer function might allow a user to withdraw more tokens than they own.
- Contract failures: Incorrect calculations can cause a contract to malfunction, locking funds or rendering the contract unusable.
- Denial of Service: Incorrect calculations could freeze contract functionality, locking users out.
- Loss of trust: Vulns undermine user confidence in a project, potentially tanking its reputation and market value.
Overflow and underflow errors aren’t just theoretical — they cause real damage in the blockchain world.
One of the most infamous real-world examples is the 2018 BeautyChain (BEC) token exploit, where an overflow vulnerability in a smart contract allowed attackers to generate an astronomical number of tokens, crashing the token’s value. This incident underscores why developers must prioritize overflow and underflow protection.
How Solidity addresses underflow / overflow
Starting with Solidity version 0.8.0, the language introduced built-in arithmetic checks to prevent these errors by default. If an overflow or underflow occurs, the transaction reverts, protecting the contract from unintended behavior. This is a huge step forward for smart contract security.
However, if you’re working with older Solidity versions (pre-0.8.0) or need to bypass these checks for specific use cases, you’ll need to take extra precautions. Let’s explore how to protect your contracts in both scenarios.
Detecting overflow and underflow
There are several methods you can use to identify overflow / underflow errors:
- Code review: Examine arithmetic operations to ensure they can’t exceed variable bounds. Pay close attention to loops and user inputs, which are common entry points for exploits.
- Contract analysis tools: Tools like Slither, Mythril, and Oyente help flag potential overflow/underflow issues by analyzing the contract’s bytecode and control flow.
- Fuzz testing: Simulate extreme inputs (e.g., maximum or negative values) to see how the contract behaves under stress.
- Formal verification: For critical cases, use math proofs if possible to verify that arithmetic operations stay within safe bounds.
- Version checks: Confirm the contract uses a Solidity version with built-in overflow/underflow checks (0.8.0 or higher) or employs safe libraries for older versions.
Also, don’t forget to look for implicit assumptions in the code. For example, a developer might assume that a balance can never go negative, but without explicit checks, an underflow could make it happen.
Best practices to mitigate overflow / underflow
Preventing overflow / underflow errors requires proactive coding practices and robust auditing. Here are some best practices for developers:
1. Use SafeMath libraries
For Solidity versions before 0.8.0, use a battle-tested library like OpenZeppelin’s SafeMath. It provides functions like add, sub, and mul that revert on overflow or underflow.
In Solidity 0.8.0 and above, arithmetic checks are built-in, so SafeMath is less necessary, but it’s still a good habit for clarity and compatibility.
2. Validate inputs
Always validate user inputs to prevent malicious values. For example, ensure that amounts are positive and within reasonable ranges before performing arithmetic.
3. Use appropriate data types
Choose data types that match the expected range of values. For example, use uint256 for token balances but consider smaller types like uint32 for counters if you know the range is limited — just ensure the maximum value is sufficient.
4. Test extensively
Write unit tests that cover edge cases, such as:
- Maximum and minimum values for variables
- Zero or negative inputs
- Large loops that could cause cumulative overflows Tools like Hardhat and Foundry make it easy to simulate these scenarios
- Boundary conditions (e.g., adding 1 to the maximum value or subtracting 1 from 0)
- Large or unexpected inputs
5. Upgrade to modern Solidity
If possible, use Solidity 0.8.0 or higher, which includes automatic overflow/underflow checks. If you’re working with legacy contracts, audit them carefully and consider wrapping arithmetic in SafeMath.
6. Engage professional auditors
Even the experienced developers can miss subtle bugs. Partner with a reputable blockchain security firm to audit your smart contracts. A professional audit from a trusted company provides an extra layer of assurance, catching issues that automated tools or internal reviews might overlook. Auditors use advanced tools and expertise to identify vulns, including overflow / underflow ones.
Wrapping up
Overflow and underflow errors may sound technical, but they’re critical to understand in blockchain development industry, ensuring that numbers behave as expected in smart contracts. Whether you’re a developer writing the next big DeFi protocol or a user entrusting your funds to a dApp, knowing about these vulnerabilities empowers you to demand higher security standards.
Blockchain technology is transforming industries, but with great power comes great responsibility. By understanding these errors, being proactive and implementing rigorous security measures and best practices, we can ensure security and reliability of the code, minimize risks and build trust in decentralized industry.
About SmartState
Launched in 2019 and incorporated in Dubai, SmartState is an independent Web3 security company providing top-notch external security audits and enterprise level blockchain security services.
We’ve built a professional team of skilled white-hat hackers, cyber security experts, analysts and developers. The SmartState team have extensive experience in ethical hacking and cyber security, blockchain & Web3 development, financial and economic sectors.
We’ve conducted security audits for >500 projects so far. None of code audited by SmartState had been hacked. Blockchains like TON, large projects like EYWA, 1inch and CrossCurve & exchanges such as Binance and KuCoin rely on our experience.
🚀 Concerned about your project & assets security? Book free security consultation! Let’s get in touch: info@smartstate.tech
Stay tuned for more updates from SmartState and follow us on social media to learn about our latest auditing services and success stories:
Disclaimer
Always DYOR. This article is for informational purposes only, does not constitute legal, financial, investment advice and / or professional advice, and we are not responsible for any decisions based on our analysis or recommendations. Always consult with a qualified security expert and conduct thorough testing before deploying smart contracts.
