Summary

In the StETHMock contract, the functions getSharesByPooledEth and getPooledEthByShares perform division operations where totalPooledEther and totalShares are the denominators, respectively.

Vulnerability Details

In both functions, if the denominator (totalPooledEther in getSharesByPooledEth and totalShares in getPooledEthByShares) is zero, a division by zero error will occur. Division by zero is undefined in mathematics and is not allowed in most programming languages, including Solidity. If such a division is attempted, the contract will revert and the transaction will fail.

This situation could occur in the initial state of the contract, before any shares are minted. In this case, both totalShares and totalPooledEther would be zero. If either getSharesByPooledEth or getPooledEthByShares were called at this point, it would result in a division by zero error.

Additionally, if the contract state is improperly managed such that totalShares or totalPooledEther becomes zero at any point after initialization, the same error would occur. This could happen due to a bug in the contract code or malicious activity.

Impact

If these division operations are attempted when the denominators are zero, it will cause the entire transaction to revert. This could have the following negative impacts:

• Users cannot successfully interact with the affected functions

• Funds or assets may be permanently locked in the contract

• Breaches trust in the mathematical integrity of the contract

Tools Used

Manual

Recommendations

The contract should include checks to ensure that totalShares and totalPooledEther are never zero before performing these divisions. This could be done with a require statement in each function, like so:

and

These checks would ensure that the contract reverts in a controlled manner with a clear error message if a division by zero is attempted, rather than failing due to a low-level Solidity error.