search

code-423n4 / 2022-01-yield-findings

1 stars 0 forks source link

Gas in `Cvx3CrvOracle.sol:_peek()`: `minStable` can't overflow, as the comment states. Uncheck it. #69

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

Dravee

Vulnerability details

Impact

Increased gas cost due to unnecessary automatic overflow checks.

Solidity version 0.8+ comes with implicit overflow and underflow checks on unsigned integers.

When an overflow or an underflow isn't possible (as an example, when a comparison is made before the arithmetic operation, or the operation doesn't depend on user input), some gas can be saved by using an unchecked block.

https://docs.soliditylang.org/en/v0.8.10/control-structures.html#checked-or-unchecked-arithmetic

Proof of Concept

As it's in a comment, it's known to the sponsor that minStable can't overflow:

File: Cvx3CrvOracle.sol
129:         // This won't overflow as the max value for int256 is less than the max value for uint256
130:         uint256 minStable = min(
131:             uint256(daiPrice),
132:             min(uint256(usdcPrice), uint256(usdtPrice))
133:         );

This should be wrapped inside an unchecked block to save gas.

Tools Used

VS Code

Recommended Mitigation Steps

Uncheck arithmetic operations when the risk of underflow or overflow is already contained by wrapping them in an unchecked block

iamsahu commented 2 years ago

The comment refers to the casting & not to the arithmetic

GalloDaSballo commented 2 years ago

I believe the finding to be invalid, there's no overflow checks in the min function