getL1Fee() function calculates the L1 fee by multiplying the L1 gas used by the current L1base fee, then scaling the result by the fee scalar. This calculation could result in an overflow if the gas used or base fee is too large. An overflow occurs when the result of the multiplication operation is larger than the maximum value that can be stored in the variable type used to store the result.
We know, the maximum value for a uint256 variable is 2^256 - 1,
Now if the gas used is 2^256 - 1, and the L1 base fee is 1 wei,
then the result of the multiplication would be 2^256 - 1 wei.
This value is larger than the maximum value that can be stored in a uint256 variable.
As a result, an overflow would occur and the resulting L1 fee would be incorrect.
Impact
If an overflow occurs, it may be difficult to detect and debug the issue. The contract may continue to operate with an incorrect fee calculation, leading to unexpected behavior or security vulnerabilities.
Code Snippet
Tool used
Manual Review
Recommendation
To add checks for potential overflow in the getL1Fee() function, we can use the SafeMath library provided by OpenZeppelin.
The SafeMath library provides functions that perform arithmetic operations with checks for potential overflow or underflow.
OCC
medium
Risk of Integer Overflow in L1 Fee Calculation
Summary
getL1Fee()
function calculates theL1
fee by multiplying theL1
gas used by the currentL1
base fee, then scaling the result by the fee scalar. This calculation could result in an overflow if the gas used or base fee is too large. An overflow occurs when the result of the multiplication operation is larger than the maximum value that can be stored in the variable type used to store the result.Vulnerability Detail
https://github.com/sherlock-audit/2023-03-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L2/GasPriceOracle.sol#L43-L50
We know, the maximum value for a
uint256
variable is2^256 - 1
,Now if the gas used is
2^256 - 1
, and theL1
base fee is1 wei
, then the result of the multiplication would be2^256 - 1 wei
. This value is larger than the maximum value that can be stored in auint256
variable. As a result, an overflow would occur and the resultingL1
fee would be incorrect.Impact
If an overflow occurs, it may be difficult to detect and debug the issue. The contract may continue to operate with an incorrect fee calculation, leading to unexpected behavior or security vulnerabilities.
Code Snippet
Tool used
Manual Review
Recommendation
To add checks for potential overflow in the
getL1Fee()
function, we can use the SafeMath library provided by OpenZeppelin. The SafeMath library provides functions that perform arithmetic operations with checks for potential overflow or underflow.