search

code-423n4 / 2021-09-sushitrident-findings

0 stars 0 forks source link

absolute difference is not calculated properly (always incorrect) when a > b in MathUtils #7

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

hack3r-0m

Vulnerability details

https://github.com/sushiswap/trident/blob/9130b10efaf9c653d74dc7a65bde788ec4b354b5/contracts/libraries/MathUtils.sol#L22

a = 10 b = 4

Expected output: 6 Actual output: 115792089237316195423570985008687907853269984665640564039457584007913129639930

Add else condition to mitigate it.

unchecked {
            if (a > b) {
                diff = a - b;
            }
            else {
                diff = b - a;   
            }
        }
maxsam4 commented 3 years ago

This is a valid issue but perhaps we can lower the severity to 2 because this (a > b) should not be triggerable at the places we use it.

itsmetechjay commented 3 years ago

@maxsam4 just a heads up that this warden wants to withdraw this request and resubmit with more information. So I'm closing this issue and they'll resubmit shortly. Warden comments: "i want to change "Vulnerability details" section".

itsmetechjay commented 3 years ago

Re-closing this one as it was withdrawn by warden and resubmitted under another issue.