Submission Details
Severity:
Incorrect Overflow check Logic
Description: The incorrect overflow check in the MathMasters::mulWadUp function if statement prevents the function from correctly asserting if x*y overflows and reverting with the appropriate error, This would cause the value x*y to wrap rather than revert as the multiplication is done in assembly.
Impact: High, undefined behaviour and wrong calculation values
POC:
the following test passes and logs 0 rather than revert with an appropriate error
function test_mulWadUpOnOverflow() public pure {
uint256 z = MathMasters.mulWadUp(UINT256_MAX, UINT256_MAX);
console2.log(z);
}
Recommendation:
/// @dev Equivalent to `(x * y) / WAD` rounded up.
function mulWadUp(uint256 x, uint256 y) internal pure returns (uint256 z) {
/// @solidity memory-safe-assembly
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
@> if mul(y, gt(x, div(not(0), y))) {
mstore(0x0, 0xbac65e5b) // `MathMasters__MulWadFailed()`.
revert(0x1c, 0x04)
}
if iszero(sub(div(add(z, x), y), 1)) {
x := add(x, 1)
}
z := add(iszero(iszero(mod(mul(x, y), WAD))), div(mul(x, y), WAD))
}
}
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
`mulWadUp` has a bad overflow check
Rewards breakdown
nSLOC
46This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.