Closed howlbot-integration[bot] closed 3 weeks ago
alex-ppg marked the issue as not a duplicate
The submission details that an overflowing_sub
might be insecure to utilize in the context referenced, however, the code will validate that the sqrt_price_x_96
value is greater than the quotient
right before executing the subtraction rendering it safe.
alex-ppg marked the issue as unsatisfactory: Invalid
I think the issue should be reconsidered for the following reasoning:
// always fits 160 bits
return uint160(sqrtPX96 - quotient);
So usage of such overflowing_sub functionality is unsafe as it does not ensure that the value fits into 160 bits.
We should follow Uniswap V3's math faithfully.
So any deviation from it basically means that the invariant is broken
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/maths/sqrt_price_math.rs#L139
Vulnerability details
Impact
In the current functionality,
get_next_sqrt_price_from_amount_1_rounding_down()
usesoverflowing_sub
functionality that does not revert in the case of overflow making the function not always fit into uint160.Proof of Concept
Take a look into
get_next_sqrt_price_from_amount_1_rounding_down()
functionality:https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/maths/sqrt_price_math.rs#L122-126
But at the end of the function
overflowing_sub
is used that will not revert if there is overflow:https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/maths/sqrt_price_math.rs#L139
The value
sqrt_price_x_96
has to always fit into uint160.Tools Used
Manual review.
Recommended Mitigation Steps
Change the last line on
Ok(sqrt_price_x_96 - quotient)
Assessed type
Other