+ "details": "Ecosystem: EVM (Solidity) — Ethereum mainnet smart contract. No applicable ecosystem\noption exists in the GitHub Advisory Database for on-chain Solidity contracts.\n\nIn MarginalProtocol Marginal v1, the adjust() function in MarginalV1Pool (proxy:\n0x3A6C55Ce74d940A9B5dDDE1E57eF6e70bC8757A7) performs an unsafe downcast of margin0\n(a uint256) to uint128 without overflow validation:\n\n position.margin = uint128(margin0);\n\nIn Solidity, explicit casts do not revert on overflow. When margin0 exceeds\ntype(uint128).max, the upper bits are silently discarded via a bitwise AND operation.\nThe deployed bytecode confirms this at program counter 0x069c:\n\n 0687 | PUSH20(0xffffffffffffffffffffffffffffffff)\n 069c | AND -- uint128 truncation, no overflow check\n\nNo GT opcode. No REVERT. The truncation is unconditional and silent.\n\nAn attacker takes out a flash loan to cause margin0 to exceed 2^128 - 1, silently\ntruncating the stored margin value. This allows the attacker to settle a large debt\nposition for a negligible asset cost (demonstrated at 57,005 wei), effectively draining\ncollateral from liquidity providers. No privileges are required; the attack is executable\natomically within a single transaction. The vulnerability was patched by replacing the\nbare downcast with OpenZeppelin's SafeCast.toUint128().",
0 commit comments