Missing muldiv usage can lead to overflow
Summary
Calculations throughout the contract use the mulDiv function. This prevents overflows unless the result itself is larger than uint256. However in the _capLpTokenSupply function the code does a raw multiplication followed by a raw division. This can lead to overflows if the result of the multiplication is larger than uint256.
Vulnerability Details
When calculating the LPtokenSupply capped values, if the LP has increased, the new capped LP supply is calculated as
This uses the mulDiv since the intermediate result of lastLpTokenSupply * tempExp can be larger than uint256, especially since one is an exponentiated term and the other is scaled up by the CAP_PRECISION2 factor.
In fact, the chances of overflowing increase over time, since the tempExp term grows with time.
However, when calculating the capped LPtokenSupply on a decrease in LP, the code does a raw multiplication followed by a raw division.
This function should also use the mulDiv function so that the function does not revert due to overflow if the intermediate result is larger than uint256.
Impact
The calculation can revert due to underflow due to not using the mulDiv function. Can lead to a bricked well.
Tools Used
Manual Review
Recommendations
Use the mulDiv function in the _capLpTokenSupply function to prevent overflows.
Lead Judging Commences
Informational/Invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.