Summary
Incorrect overflow check at mulWadUp(uint256 x, uint256 y)
Vulnerability Details
function mulWadUp(uint256 x, uint256 y) internal pure returns (uint256 z) {
assembly {
-> if mul(y, gt(x, or(div(not(0), y), x))) {
mstore(0x40, 0xbac65e5b)
revert(0x1c, 0x04)
}
if iszero(sub(div(add(z, x), y), 1)) { x := add(x, 1) }
z := add(iszero(iszero(mod(mul(x, y), WAD))), div(mul(x, y), WAD))
}
}
Had instruction or
bitwise “or” of x and y
Result of the instruction Bitwise "or" operation with x
and any number will always be greater than or equal to x
. It follows that the gt
instruction will always return false
.
Impact
Does not throw an error when checking for overflow. Leads to loss of security for contract clients.
Tools Used
Manual review.
Recommendations
/// @dev Equivalent to `(x * y) / WAD` rounded up.
function mulWadUp(uint256 x, uint256 y) internal pure returns (uint256 z) {
/// @solidity memory-safe-assembly
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
- if mul(y, gt(x, or(div(not(0), y), x))) {
+ if mul(y, gt(x, div(not(0), y))) {
mstore(0x40, 0xbac65e5b) // `MathMasters__MulWadFailed()`.
revert(0x1c, 0x04)
}
if iszero(sub(div(add(z, x), y), 1)) { x := add(x, 1) }
z := add(iszero(iszero(mod(mul(x, y), WAD))), div(mul(x, y), WAD))
}
}