Beanstalk: Dive Into Basin
Beanstalk
DeFiHardhat
12,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`lpTokenSupply` exponentiation could overflow

tigerfrake

Summary

In Solidity, the maximum value for a uint256 is 2^256 - 1. An overflow occurs when a calculation results in a number higher than this maximum value.

Vulnerability Details

For the calcReserve() function, the overflow scenario in the exponentiation step (lpTokenSupply ** 2) would occur if the lpTokenSupply is large enough that squaring it exceeds 2^256 - 1.

calcReserve()

function calcReserve(
uint256[] calldata reserves,
uint256 j,
uint256 lpTokenSupply,
bytes calldata
) external pure override returns (uint256 reserve) {
if (j >= 2) {
revert InvalidJArgument();
}
// Note: potential optimization is to use unchecked math here
reserve = lpTokenSupply ** 2;
reserve = LibMath.roundUpDiv(reserve, reserves[j == 1 ? 0 : 1] * EXP_PRECISION);
}

The relevant line is this:

reserve = lpTokenSupply ** 2;
Let's consider a scenario:

  • Let lpTokenSupply be x.

  • The maximum value before overflow upon squaring would be the square root of 2^256 - 1, which is approximately 2^128.

  • If lpTokenSupply (x) is greater than 2^128, then x * x would result in a number larger than 2^256 - 1, causing an overflow.

For example, if lpTokenSupply is 2^130, then squaring it (2^130 * 2^130) would result in 2^260, which is greater than 2^256 - 1, leading to an overflow.

Impact

Revert Transaction: Solidity 0.8.x automatically reverts the transaction if an arithmetic operation overflows.

Tools Used

Manual Review

Recommendations

  • Input Validation:

Ensure that lpTokenSupply is within a range that, when squared, does not exceed the maximum uint256 value.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.