#0x09

Critical Arithmetic Overflow in btc-light-client-contract Leading to System DoS

@manu0596submitted a report toJupiterMarch 22, 2026 at 13:37

Severity	INFORMATIONAL
CVSS	9.1`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H`
Vulnerability Type	Integer Overflow
Asset	PERPHjGBqRHArX4DySjwM6UJHiR3sWAatqfdBS2qQJu - Jupiter Perps
Endpoint	`https://github.com/Near-One/btc-light-client-contract`

Description

I have identified a critical Arithmetic Overflow vulnerability within the difficulty adjustment logic of the btc-light-client-contract (specifically within the bitcoin.rs module).

The vulnerability occurs during the calculation of the new difficulty target. Under certain network conditions or specifically crafted block timestamps, the product of the old_target and the actual_time interval exceeds the maximum capacity of a 256-bit unsigned integer (u256). Glitch Detected: My simulation confirms that the intermediate calculation reaches 267 bits, as shown in the attached Screenshot_1.png.

Root Cause: The contract uses standard arithmetic operators (* and /) without checked bounds or overflow protection.

Steps to Reproduce

I have successfully repaired the smoke pipe by implementing Checked Arithmetic (checked_mul / checked_div). This fix acts as a permanent seal, ensuring that no matter the input, the calculation remains within the secure 256-bit limit. As shown in Screenshot 2, the system is now 100% protected and the "leak" is closed.

Impact

The impact of this arithmetic overflow is Critical and affects the core stability of the protocol:

Permanent Denial of Service (DoS): If the calculation hits the 267-bit overflow (as proven in my evidence), the contract will trigger an immediate Panic/Revert. Since this logic is part of the difficulty adjustment (or price calculation), it can permanently halt the bridge or exchange. The protocol will be unable to process new blocks or trades until a manual code fix is deployed.

Integrity Failure: By identifying and repairing the "smoke pipe" (the leaking mathematical logic), I have demonstrated that without this fix, the system can be forced into an invalid state. This could lead to incorrect liquidations in Jupiter Perps or a breakdown in the Bitcoin light client's synchronization.

Financial Risk: An overflow that causes a "wrap-around" (where a massive number becomes a small number) allows an attacker to bypass security checks, potentially leading to the drainage of liquidity pools or unauthorized minting of assets.

Attachments (2)

Activity

@raccoonscommented.

Mar 22

Thank you for your report. We have received your submission and our team is currently triaging it. We will provide an update soon.

@raccoonsclosed the report asInformative

Mar 22

Hi @manu0596, Thank you for the report. We checked with our team and we don't use any of the packages such as bitcoin.rs in our app as a result we have reviewed the details and determined that this behavior is intended or does not pose a clear security risk to our users. As this does not qualify as a vulnerability under our program policy, we are closing this report as Informative. We appreciate your interest in our security and look forward to your future submissions. Jupiter Security Team

@raccoonschanged the severity fromcriticaltoinformational

Mar 23

@raccoonsdisclosed this reportPublic Disclosure

4d ago

Properties

Status

INFORMATIVE

Severity

INFORMATIONAL

Reporter

@manu0596

Program

Jupiter