search

sherlock-audit / 2023-04-unitasprotocol-judging

4 stars 3 forks source link

lokstory - Overflow when calculating the reserve ratio #120

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

lokstory

medium

Overflow when calculating the reserve ratio

Summary

When calculating the reserve ratio, it may overflow when allReserves * 1e18 is greater than type(uint256).max.

Vulnerability Detail

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L490

When allReserves is greater than 115792089237316195423570985008687907853269984665640564039457 (type(uint256).max / 1e18), it will overflow.

function _getReserveStatus(uint256 allReserves, uint256 liabilities)
    internal
    view
    returns (ReserveStatus reserveStatus, uint256 reserveRatio)
{
    if (liabilities == 0) {
        reserveStatus = allReserves == 0 ? ReserveStatus.Undefined : ReserveStatus.Infinite;
    } else {
        reserveStatus = ReserveStatus.Finite;

        // All decimals of parameters are the same as USD1
        uint256 valueBase = 10 ** tokenManager.usd1().decimals();

        reserveRatio = ScalingUtils.scaleByBases(
            allReserves * valueBase / liabilities,
            valueBase,
            tokenManager.RESERVE_RATIO_BASE()
        );
    }
}

Impact

Users will be unable to perform the swap when the reserve ratio threshold is greater than 0 and overflow.

Code Snippet

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L490

Tool used

Manual Review

Recommendation

Considers to use mulDiv to perform calculations and reduce the likelihood of overflow.