Error in Math Library division function allows division by Zero
Summary
In LibMath.sol the function roundUpDiv(uint256 a, uint256 b) contains a logic case in which division by zero equates to zero.
Vulnerability Details
Consider the code block of the function roundUpDiv below
It is evident that in the case that:
a = 0 and b = 0
Then the function will return 0 as the answer.
This statement is mathematically incorrect as 0 divided by 0 is undefined.
However due to the logic statement
if (a == 0) return 0;
This specific case gets short circuited and the result is zero.
It is also important to point out that if the previous statement was not there such a case would not exist however by being there to prevent an underflow, it opens up to a new vulnerability.
Impact
The main impact is the calcReserve(...) function in ConstantProduct2.sol, which would return zero in the case that the liquidity pool total supply and the reserve being calculated are equal to zero. This bug could also increase the attack surface for an attacker on any contract that relies on ConstantProduct2 or LibMath for calculation.
Tools Used
Manual Review
Recommendations
I would recommend that a zero chech be added as below
Lead Judging Commences
Informational/Invalid
Informational/Invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.