search

code-423n4 / 2023-07-tapioca-findings

15 stars 10 forks source link

`OracleMath.sol` used in `Seer.sol` inherits `FullMath.sol` to use `_mulDiv` , function which will revert all the time since it doesn't allow for overflow behavior #366

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/023751a4e987cf7c203ab25d3abba58f7344f213/contracts/oracle/external/FullMath.sol#L19-L111

Vulnerability details

Impact

FullMath.sol which is used in OracleMath.sol has the _mulDiv function which is copied from UniswapV3 FullMath library, function which require overflow behavior, but that behavior will not be allowed in the Tapioca OracleMath.sol contract, which would make the _getQuoteAtTick revert most of the time.

Proof of Concept

The contract FullMath.sol uses solidity version >=0.4.0 as can be seen here https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/023751a4e987cf7c203ab25d3abba58f7344f213/contracts/oracle/external/FullMath.sol#L3 which will allow for overflows, but OracleMath.sol is compiled with pragma solidity ^0.8.7 as can be seen here https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/023751a4e987cf7c203ab25d3abba58f7344f213/contracts/oracle/utils/OracleMath.sol#L3, which will also compile FullMath.sol with the version ^0.8.7 since that's how inheritance works in solidity, making the _mulDiv function reverting all the time on overflows.

Tools Used

Manual review

Recommended Mitigation Steps

Use uncheck boxes on the _mulDiv function, instead of using >=0.4.0 version of solidity, since with the inheritance that you are doing in OracleMath.sol this will be still compiled at the OracleMath.sol version

Assessed type

Library

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #138

c4-judge commented 1 year ago

dmvt marked the issue as satisfactory