search

sherlock-audit / 2024-06-velocimeter-judging

11 stars 7 forks source link

Funny Merlot Yeti - _update function from Pair.sol can overflow for some ERC20 tokens #711

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 4 months ago

Funny Merlot Yeti

Low/Info

_update function from Pair.sol can overflow for some ERC20 tokens

Summary

For ERC-20 tokens with more than 18 decimals, the _update and currentCumulativePrices can revert due to overflow.

Vulnerability Detail

ERC-20 tokens do not specify the maximum number of decimals. Theoretically, these tokens support as many decimals as fit in 256 bits. Using a token with a much larger number of decimals when creating a pool could rapidly read to a non-operating pool, as many critical functions - mint, swap, burn - are calling the _update function which would revert due to overflow.

Impact

Low, as the probability of using such a token are low.

Code snippet

To simplify the review process

function _update(uint balance0, uint balance1, uint _reserve0, uint _reserve1) internal {
    uint blockTimestamp = block.timestamp;
    uint timeElapsed = blockTimestamp - blockTimestampLast; // overflow is desired
    if (timeElapsed > 0 && _reserve0 != 0 && _reserve1 != 0) {
        reserve0CumulativeLast += _reserve0 * timeElapsed;
        reserve1CumulativeLast += _reserve1 * timeElapsed;
    }

Tool used

Manual Review

Recommendation

Impose max digits for the ERC-20 token