The mulWadUp
function exhibits a buffer overflow vulnerability due to an incorrect use of an OR bitwise operation
which alters the intended behavior of checking for overflow conditions.
The comment in the code suggests a check equivalent to require(y == 0 || x <= type(uint256).max / y)
,
but the actual implementation does not adhere to this logic.
This vulnerability is particularly critical because the overflow protection normally provided by Solidity (version 0.8.0 and above) does not apply to assembly code.
The vulnerability is present in the following line of the mulWadUp
function:
This can be demonstrated with the following test:
while executing this code the result of the division is:
0x000000000000ffffffffffff000000000000ffffffffffff000000000000ffff
by using OR on x which is greater:
0x000000000000ffffffffffff000000000000ffffffffffff0000000000ffffff
the result of the division after OR is
0x000000000000ffffffffffff000000000000ffffffffffff0000000000ffffff
As a result, the gt condition returns zero, and the mul by zero is zero, so the intended revert condition is not triggered.
The impact of this vulnerability is significant as it allows arithmetic operations to overflow without triggering the necessary safety checks, when most user using a version of solidity above 0.8.0 don't expect an overflow being possible.
Test Cases
To address this vulnerability, the overflow check should be corrected to accurately reflect the intended condition require(y == 0 || x <= type(uint256).max / y).
This means replacing the incorrect bitwise OR operation with a proper logical comparison.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.