sherlock-admin4
commented
2 months ago 1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
SafeMath is already included by default in version 0.8.0 and above
Closed sherlock-admin3 closed 2 months ago
sherlock-admin4
commented
2 months ago 1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
SafeMath is already included by default in version 0.8.0 and above
unRekt
Medium
Contracts not using safe math
Summary
Not using
SafeMathcan lead to overflow & underflow of arithmetic calculationsVulnerability Details
Calculations that do not check for under/overflow can easily cause severe issues in Solidity. The contract
PendlePTOracle.sol,VaultRewarderLib.sol,PendlePTEtherFiVault.sol,BaseStakingVault.soland more, do not useSafeMathto prevent overflow and underflow in arithmetic operations. In thePendlePTOracle.sol,_calculateBaseToQuotefunction they have a comment at the top that says, "Overflow and div by zero not possible" here, this is just an assumption with no valid check. Majority of contracts that perform calculations, have usedSafeMath.Impact
The only valid reason for not using
SafeMathis that the design of the system makes it impossible for overflows or underflows to occur. But even in that case, the only way to prove it is with extensive formal verifications, and a mistake in any place of the system could be catastrophic.Code Snippet
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/14d3eaf0445c251c52c86ce88a84a3f5b9dfad94/leveraged-vaults-private/contracts/oracles/PendlePTOracle.sol#L110
Tool used
Manual Review
Recommendation
Consider using using
SafeMathfor all calculations and adding a comment to every statement with an arithmetic operation explaining why it is safe. Ideally, these claims would be accompanied by a formal verification.