Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Potential Overflow in divUp Function

kevinkkien

Summary

The divUp functions in the Math library lack overflow checks when adding 1 to the division result. If the result of the division is the maximum value representable by the SD59x18 or UD60x18 types, adding 1 would cause an overflow, leading to an incorrect result.

Vulnerability Details

The divUp functions are designed to perform ceiling division, rounding the result up to the nearest integer if there is a remainder. However, they do not account for the possibility of an overflow when adding 1 to the division result:

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/utils/Math.sol#L9-L15

function divUp(SD59x18 a, SD59x18 b) internal pure returns (SD59x18) {

return a.mod(b).isZero() ? a.div(b) : a.div(b).add(sd59x18(1)); // Potential overflow here

}

function divUp(UD60x18 a, UD60x18 b) internal pure returns (UD60x18) {

return a.mod(b).isZero() ? a.div(b) : a.div(b).add(ud60x18(1)); // Potential overflow here

}

If the division result (a.div(b)) is equal to the maximum value of the respective type (type(SD59x18).max or type(UD60x18).max), adding 1 will cause an overflow, wrapping the result back to the minimum value. This would lead to an incorrect calculation and potential errors in the system relying on this result.

Impact

The overflow in the divUp function could lead to incorrect results in calculations that rely on this function, potentially affecting the accuracy of financial calculations, interest rates, or other critical values.

Tools Used

Manual review

Recommendations

Implement overflow checks before adding 1 to the division result in both divUp functions. If the division result is the maximum value, either revert the transaction with an error or return a specific value to indicate the overflow condition.

function divUp(SD59x18 a, SD59x18 b) internal pure returns (SD59x18) {

SD59x18 result = a.div(b);

require(result != type(SD59x18).max, "Division result overflow");

return a.mod(b).isZero() ? result : result.add(sd59x18(1));

}

function divUp(UD60x18 a, UD60x18 b) internal pure returns (UD60x18) {

UD60x18 result = a.div(b);

require(result != type(UD60x18).max, "Division result overflow");

return a.mod(b).isZero() ? result : result.add(ud60x18(1));

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

11 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Too generic

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.