search

sherlock-audit / 2023-10-mzero-judging

3 stars 2 forks source link

w42d3n - Using subtraction in an unchecked block may silently underflow #74

Closed sherlock-admin2 closed 5 months ago

sherlock-admin2 commented 5 months ago

w42d3n

medium

Using subtraction in an unchecked block may silently underflow

Summary

The developer is using subtraction in unchecked blocks.

Vulnerability Detail

In modern versions of Solidity, arithmetic operations that would underflow or overflow will now revert by default. However, it is possible to obtain the previous behavior where such operations will wrap rather than reverting, by using an unchecked block.

While arithmetic operations inside such blocks may incur lower gas costs, these blocks should be used carefully, as unintended wrapping behavior may lead to program errors if the developer erroneously believes an operation to be safe.

Impact

underflow

Code Snippet

https://github.com/sherlock-audit/2023-10-mzero/blob/main/protocol/src/libs/ContinuousIndexingMath.sol#L54-L61

        unchecked {
            // NOTE: While `uint256(x) * EXP_SCALED_ONE` can technically overflow, these divide/multiply functions are
            //       only used for the purpose of principal/present amount calculations for continuous indexing, and
            //       so for an `x` to be large enough to overflow this, it would have to be a possible result of
            //       `multiplyDown` or `multiplyUp`, which would already satisfy
            //       `uint256(x) * EXP_SCALED_ONE < type(uint240).max`.
            return UIntMath.safe112(((uint256(x) * EXP_SCALED_ONE) + index - 1) / index);
        }
    }

https://github.com/sherlock-audit/2023-10-mzero/blob/main/protocol/src/libs/ContinuousIndexingMath.sol#L79-L81

        unchecked {
            return uint240(((uint256(x) * index) + (EXP_SCALED_ONE - 1)) / EXP_SCALED_ONE);
        }

https://github.com/sherlock-audit/2023-10-mzero/blob/main/protocol/src/libs/ContinuousIndexingMath.sol#L89-L91

        unchecked {
            return uint144((uint256(index) * deltaIndex) / EXP_SCALED_ONE);
        }

https://github.com/sherlock-audit/2023-10-mzero/blob/main/protocol/src/libs/ContinuousIndexingMath.sol#L98-L101

        unchecked {
            return uint144((uint256(index) * deltaIndex + (EXP_SCALED_ONE - 1)) / EXP_SCALED_ONE);
        }

Tool used

Manual Review

Recommendation

Remove unchecked blocks.

sherlock-admin4 commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 5 months ago

Invalid, as mentioned in comments, will not underflow