Closed sherlock-admin2 closed 11 months ago
Escalate
I don't see how this is an issue. There are 2 scenarios where overflow could happen in mulDivRoundingUp()
:
mulDiv()
: where a * b
could cause an overflow. However, it should be noted that there is an unchecked
block in mulDiv()
so this is correctly handledmulmod()
: Solidity in built function available on a global scope. This function does not overflow from solidity v0.8.0 upwards, see here. Or you can simply do a test on remix to verify it.Escalate
I don't see how this is an issue. There are 2 scenarios where overflow could happen in
mulDivRoundingUp()
:
mulDiv()
: wherea * b
could cause an overflow. However, it should be noted that there is anunchecked
block inmulDiv()
so this is correctly handledmulmod()
: Solidity in built function available on a global scope. This function does not overflow from solidity v0.8.0 upwards, see here. Or you can simply do a test on remix to verify it.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
I think the same as nevil! I don't see this as an medium.
The issue is correct. The issue is happening due to wrong use of mulDivRoundingUp()
function as given in uniswap FullMath.sol
contracts used in solidity version ^0.8.0. The function differs here due to missing unchecked block as the detail is present in report.
Old FullMath.sol
mulDivRoundingUp()
from uniswap used in <0.8.0 can be checked here
Recommended TickMath.sol
mulDivRoundingUp()
from uniswap used in ^0.8.0 can be checked here
This issue has also found by Spearbit
as a High severity, some of the references can be checked here and here
Further, this similar issue was accepted at Sherlock which can be checked here
@fann95 Thanks for fixing this issue.
A few points:
mulDiv
function, which is not the case here.mulmod()
is a solidity function that utilizes the mulmod
opcode which handles phantom overflow and it doesn't perform any overflow checks (and didn't perform any in the past). The only check Solidity adds is making sure that the denominator (modulo) is nonzero.mulDivRoundingUp
is result++;
, which could be within an unchecked block because of the preceding check, but it is not a vulnerability if the overflow is checked twice.NOTE: Per Solidity docs, the unchecked
blocks affect only statements that are syntactically within them.
I am leaning towards accepting the escalation for the above reasons. @0xRizwan please let me know if I got something wrong. A PoC may be a good idea to show the validity of this issue.
Plan to accept escalation and make issue invalid @0xRizwan
@Evert0x
If the issue is invalid then i request the sponsor to revert the changes made to contract. Invalid issue with its recommendation being fixed at the same time can not coexist.
Thank you!
Result: Invalid Has Duplicates
Fix looks good. General reformatting
MohammedRizwan
high
The
FullMath
library used inLiquidityBorrowingManager.sol
andDailyRateAndCollateral.sol
is unable to handle intermediate overflows due to overflowSummary
The FullMath.sol library used in
LiquidityBorrowingManager.sol
andDailyRateAndCollateral.sol
contracts doesn't correctly handle the case when an intermediate value overflows 256 bits. This happens because an overflow is desired in this case but it's never reached.Vulnerability Detail
The FullMath.sol library was taken from Uniswap. However, the original solidity version that was used was in this FullMath.sol library was
< 0.8.0
, Which means that the execution didn't revert when an overflow was reached. This effectively means that when a phantom overflow (a multiplication and division where an intermediate value overflows 256 bits) occurs the execution will revert and the correct result won't be returned.mulDivRoundingUp()
from theFullMath.sol
has been used in below in scope contracts,1) In
LiquidityBorrowingManager.sol
having functionscalculateCollateralAmtForLifetime()
,_precalculateBorrowing()
and_getDebtInfo()
2) In
DailyRateAndCollateral.sol
having function_calculateCollateralBalance()
The values returned from these functions wont be correct and the execution of these functions will be reverted when phantom overflow occurs.
Impact
The correct result isn't returned in this case and the execution gets reverted when a phantom overflows occurs.
Code Snippet
Code reference: https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/vendor0.8/uniswap/FullMath.sol#L119-L129
The
FullMath.sol
havingmulDivRoundingUp()
function usedLiquidityBorrowingManager.sol
andDailyRateAndCollateral.sol
doesn't use an unchecked block and it is shown as below(removed comments to shorten the code),Tool used
Manual Review
Recommendation
It is advised to put the entire function bodies of
mulDivRoundingUp()
similar tomulDiv()
in an unchecked block. A modified version of the original Fullmath library that uses unchecked blocks to handle the overflow, can be found in the 0.8 branch of the Uniswap v3-core repo.Per
Uniswap-v3-core
, Do below changes inFullMath.sol