Submission Details
Severity:
Division by zero error can occur in `MultiFlowPump::calcCapExponent` causing unexpected txn revert
Vulnerability Details
Note: Division by 0 covered in bot but this instance reported here not covered in bot
calcCapExponent is called in many functions in MultiFlowPump like in update function and capInterval param is passed as param but it is never checked for zero so it can be passed as zero. It will cause unexpected revert due to division by zero error.
MultiFlowPump::calcCapExponent function
File: src/pumps/MultiFlowPump.sol
476: function calcCapExponent(uint256 deltaTimestamp, uint256 capInterval) private pure returns (uint256 capExponent) {
@> 477: capExponent = ((deltaTimestamp - 1) / capInterval + 1);
//@audit here division by zero error can occur since capInterval nowhere checked for 0 value
MultiFlowPump::update function
File: src/pumps/MultiFlowPump.sol
72: function update(uint256[] calldata reserves, bytes calldata data) external {
73: @> (bytes16 alpha, uint256 capInterval, CapReservesParameters memory crp) =
abi.decode(data, (bytes16, uint256, CapReservesParameters));
//@audit capInterval is created here and decoded value assigned
uint256 numberOfReserves = reserves.length;
PumpState memory pumpState;
// All reserves are stored starting at the msg.sender address slot in storage.
bytes32 slot = _getSlotForAddress(msg.sender);
// Read: Last Timestamp & Last Reserves
(, pumpState.lastTimestamp, pumpState.lastReserves) = slot.readLastReserves();
// If the last timestamp is 0, then the pump has never been used before.
if (pumpState.lastTimestamp == 0) {
_init(slot, uint40(block.timestamp), reserves);
return;
}
bytes16 alphaN;
bytes16 deltaTimestampBytes;
uint256 capExponent;
// Isolate in brackets to prevent stack too deep errors
{
uint256 deltaTimestamp = _getDeltaTimestamp(pumpState.lastTimestamp);
// If no time has passed, don't update the pump reserves.
if (deltaTimestamp == 0) return;
alphaN = alpha.powu(deltaTimestamp);
deltaTimestampBytes = deltaTimestamp.fromUInt();
// Round up in case capInterval > block time to guarantee capExponent > 0 if time has passed since the last update.
101: @> capExponent = calcCapExponent(deltaTimestamp, capInterval);
//@audit capInterval is passed as it is come from decoding without checking it's 0 value
}
}
Impact
Unexpected revert due to division by zero error due to no 0 check on capInterval param.
Tools Used
Manual Review
Recommended Mitigation
File: src/pumps/MultiFlowPump.sol
476: function calcCapExponent(uint256 deltaTimestamp, uint256 capInterval) private pure returns (uint256 capExponent) {
+ require(capInterval>0,"Denominator should be non zero");
477: capExponent = ((deltaTimestamp - 1) / capInterval + 1);
Updates
Lead Judging Commences
giovannidisiena about 1 year ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
Informational/Invalid
Prize pool breakdown
Total prize
12,000 USDC
nSLOC
47925 USDC / LOC
10,000 USDC
1,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.