0xpinky - BoundedStepwiseLogarithmicPriceAdapter : incorrect check for logrithmic overflow. due to this, still overflow is possible

[sherlock-admin]

0xpinky

high

BoundedStepwiseLogarithmicPriceAdapter : incorrect check for logrithmic overflow. due to this, still overflow is possible

Summary

There are four type of price prediction contract implemented which are used to calculate the price of the components during the rebalance period. to be precise at the time of bidding by the valid bidder. when we see the implementation of these price calculation contract, each have its own overflow protection by comparing the hardcoded values. The protection from overflow works for all type of contract except for BoundedStepwiseLogarithmicPriceAdapter, since it incorrectly check the overflow condition. Due to this, overflow is still possible.

Vulnerability Detail

Refer the block of codes from the getprice function.

        if (lnArgument > MAX_LOG_ARG) { ---------------------------->> this check is not sufficient.
            return _getBoundaryPrice(isDecreasing, maxPrice, minPrice);
        }
        uint256 lnExpression = uint256(FixedPointMathLib.lnWad(lnArgument + WAD)); --->> WAD value is added here.

first check for lnArgument > MAX_LOG_ARG

later the value lnArgument + WAD is used to decide the logarithmic expression. at this stage the value of lnArgument + WAD would have exceeded the MAX_LOG_ARG

Impact

overflow of logrithamic value which would affect the price calculation during the rebalance.

Code Snippet

https://github.com/sherlock-audit/2023-06-Index/blob/main/index-protocol/contracts/protocol/integration/auction-price/BoundedStepwiseLogarithmicPriceAdapter.sol#L64-L68

Tool used

Manual Review

Recommendation

Update the codes as given below

        if ( (lnArgument + WAD) > MAX_LOG_ARG) { ----------------->> updated here.
            return _getBoundaryPrice(isDecreasing, maxPrice, minPrice);
        }
        uint256 lnExpression = uint256(FixedPointMathLib.lnWad(lnArgument + WAD));

Duplicate of #1