First Flight #8: Math Master
First Flight #8
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

In `MathMasters::mulWad` and `MathMasters::mulWadUp` functions the revert reason is empty

bube

Summary

In the MathMasters::mulWad and MathMasters::mulWadUp functions the error selector is wrong and the revert read from empty slot.

Vulnerability Details

In the MathMasters::mulWad and MathMasters::mulWadUp is used the error selector 0xbac65e5b for the cases when the functions revert.

function mulWad(uint256 x, uint256 y) internal pure returns (uint256 z) {
// @solidity memory-safe-assembly
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
if mul(y, gt(x, div(not(0), y))) {
@> mstore(0x40, 0xbac65e5b) // `MathMasters__MulWadFailed()`.
@> revert(0x1c, 0x04)
}
z := div(mul(x, y), WAD)
}
}
function mulWadUp(uint256 x, uint256 y) internal pure returns (uint256 z) {
/// @solidity memory-safe-assembly
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
if mul(y, gt(x, or(div(not(0), y), x))) {
@> mstore(0x40, 0xbac65e5b) // `MathMasters__MulWadFailed()`.
@> revert(0x1c, 0x04)
}
if iszero(sub(div(add(z, x), y), 1)) { x := add(x, 1) }
z := add(iszero(iszero(mod(mul(x, y), WAD))), div(mul(x, y), WAD))
}
}

But 0xbac65e5b is a selector for MulWadFailed error from Solady library not for a MathMasters__MulWadFailed error from MathMasters contract.
The right selector for the error MathMasters__MulWadFailed from MathMasters contract is 0xa56044f7. This can be retrieved by using chisel and the command: cast sig "MathMasters__MulWadFailed()".

Additionally, the revert error is written to 0x40 and afterthat is read in the revert from 0x1c. That is incorrect and leads to empty reason for revert.

Impact

The functions MathMasters::mulWad and MathMasters::mulWadUp use wrong error selector and by reverting the reason is not MathMasters__MulWadFailed.

Also, the mstore(0x40, 0xbac65e5b) statement stores the error message identifier at memory location 0x40, but the revert(0x1c, 0x04) statement is trying to read from memory location 0x1c. These are different memory locations. The revert(0x1c, 0x04) statement will read the data stored at memory location 0x1c, which in this case is undefined (it is empty) since it hasn't been set anywhere else in the function. But if we change the memory location, the error message will be custom error 0xbac65e5b, because the selector of this error is not defined in this contract. It is from the Solady library.

Tools Used

VS Code, Foundry

Recommendations

Change mstore(0x40, 0xbac65e5b) to mstore(0x00, 0xa56044f7) in MathMasters::mulWad and MathMasters::mulWadUp functions to have Reason: MathMasters__MulWadFailed() by reverting:

function mulWad(uint256 x, uint256 y) internal pure returns (uint256 z) {
// @solidity memory-safe-assembly
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
if mul(y, gt(x, div(not(0), y))) {
+ mstore(0x00, 0xa56044f7)
- mstore(0x40, 0xbac65e5b) // `MathMasters__MulWadFailed()`.
revert(0x1c, 0x04)
}
z := div(mul(x, y), WAD)
}
}
function mulWadUp(uint256 x, uint256 y) internal pure returns (uint256 z) {
/// @solidity memory-safe-assembly
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
if mul(y, gt(x, or(div(not(0), y), x))) {
+ mstore(0x00, 0xa56044f7)
- mstore(0x40, 0xbac65e5b) // `MathMasters__MulWadFailed()`.
revert(0x1c, 0x04)
}
if iszero(sub(div(add(z, x), y), 1)) { x := add(x, 1) }
z := add(iszero(iszero(mod(mul(x, y), WAD))), div(mul(x, y), WAD))
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Wrong error selector

Wrong error storage

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!