The code assumes that the maturity timestamp is always in the future. If maturity is in the past, timeToExpiry could underflow.
The code assumes that the totalBaseLptTimesN will always be greater than netBaseLptToAccount. If this is not the case, it could lead to underflow.
Vulnerability Detail
uint256 timeToExpiry = pool.maturity - block.timestamp;
there is no check on pool.maturity is greater than block.timestamp or not.
Impact
If this is not the case, it could lead to underflow.
Code Snippet
function _setPostPoolState(
PoolState memory pool,
PoolPreCompute memory comp,
int256 netBaseLptToAccount,
int256 netUnderlyingToAccount18,
int256 netUnderlyingToProtocol18
) internal view {
// update pool state
// Note safe because pre-trade check ensures totalBaseLptTimesN >= netBaseLptToAccount
pool.totalBaseLptTimesN = (pool.totalBaseLptTimesN.toInt256() - netBaseLptToAccount).toUint256();
pool.totalUnderlying18 = (pool.totalUnderlying18).toInt256().subNoNeg(
netUnderlyingToAccount18 + netUnderlyingToProtocol18
).toUint256();
// compute post-trade implied rate
// this will be used to compute the new rateAnchor for the next trade
uint256 timeToExpiry = pool.maturity - block.timestamp;
pool.lastLnImpliedRate = _getLnImpliedRate(
pool.totalBaseLptTimesN, pool.totalUnderlying18, comp.rateScalar, comp.rateAnchor, timeToExpiry
);
// It's technically unlikely that the implied rate is actually exactly zero but we will still fail
// in this case.
if (pool.lastLnImpliedRate == 0) revert Errors.PoolZeroLnImpliedRate();
}
bareli
medium
underflow checks
Summary
The code assumes that the maturity timestamp is always in the future. If maturity is in the past, timeToExpiry could underflow. The code assumes that the totalBaseLptTimesN will always be greater than netBaseLptToAccount. If this is not the case, it could lead to underflow.
Vulnerability Detail
uint256 timeToExpiry = pool.maturity - block.timestamp; there is no check on pool.maturity is greater than block.timestamp or not.
Impact
If this is not the case, it could lead to underflow.
Code Snippet
function _setPostPoolState( PoolState memory pool, PoolPreCompute memory comp, int256 netBaseLptToAccount, int256 netUnderlyingToAccount18, int256 netUnderlyingToProtocol18 ) internal view { // update pool state // Note safe because pre-trade check ensures totalBaseLptTimesN >= netBaseLptToAccount pool.totalBaseLptTimesN = (pool.totalBaseLptTimesN.toInt256() - netBaseLptToAccount).toUint256(); pool.totalUnderlying18 = (pool.totalUnderlying18).toInt256().subNoNeg( netUnderlyingToAccount18 + netUnderlyingToProtocol18 ).toUint256(); // compute post-trade implied rate // this will be used to compute the new rateAnchor for the next trade uint256 timeToExpiry = pool.maturity - block.timestamp; pool.lastLnImpliedRate = _getLnImpliedRate( pool.totalBaseLptTimesN, pool.totalUnderlying18, comp.rateScalar, comp.rateAnchor, timeToExpiry ); // It's technically unlikely that the implied rate is actually exactly zero but we will still fail // in this case. if (pool.lastLnImpliedRate == 0) revert Errors.PoolZeroLnImpliedRate(); }
Tool used
Manual Review
Recommendation
use check using if statement .