Incorrect implementation of logic in If statement leads to Overflow in mulWadUp function.
Summary
The mulWadUp function attempts to prevent integer overflow by implementing the following logical check :
// Equivalent to require(y == 0 || x <= type(uint256).max / y).
if mul(y, gt(x, or(div(not(0), y), x))) {
mstore(0x40, 0xbac65e5b) // MathMasters__MulWadFailed().
revert(0x1c, 0x04)
}
Lets take a look at the if statement inside the assembly block
if mul(y, gt(x, or(div(not(0), y), x))) { ~ }
The logic that we want to implement is require(y == 0 || x <= type(uint256).max / y). However, the or operation done between the division of type(uint256).max / y and x performs a Bitwise OR. The value X will never be greater than the bitwise OR of another number and itself.
Vulnerability Details
This vulnerability will allow an overflow to happen without any reverts.
function testMulWadUpOverflow() public pure {
uint256 result = MathMasters.mulWadUp(UINT256_MAX, UINT256_MAX);
assert(result < UINT256_MAX);
result = MathMasters.mulWadUp(UINT256_MAX, 2e18);
assert(result < UINT256_MAX);
}
Impact
This allows the mulWadUp() function to overflow without reverting.
Tools Used
Foundry
Recommendations
Remove the or operation in the if statement.
Lead Judging Commences
`mulWadUp` has a bad overflow check
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.