mulWad and mulWadUp overrides solidity free memory pointer and takes data for revert from incorrect memory position.
Summary
The mulWad and mulWadUp function of MathMaster library overrides the solidity free memory pointer, i.e. 0x40.
0x40 stores the address of memory which is free but instead of using the value at 0x40, both these functions directly use the 0x40 memory position to store the error selector, thus overriding the free memory pointer.Along with that while reverting with custom errors the memory position of the stored error selector is to be used but both these functions uses incorrect memory position (0x1c) to get the revert selector.
Vulnerability Details
The vulnerability occurs due to the usage of 0x40 memory location to store the revert selector instead of using the value at 0x40.
Thus losing the free memory address which is stored at 0x40 in solidity.
Also, in the revert statement the error selector is fetched from 0x1c location which is irrelevant as it is not used to store the selector.
Impact
Free memory address which is stored at 0x40 will be lost.
Reverts with incorrect error.
Tools Used
Manual Review
Recommendations
Use the value present as 0x40 to store the error selector and fetch the error selector from the correct position, i.e. the position at which the error selector is stored.
Lead Judging Commences
Wrong error storage
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.