Potential Division by Zero and Input Validation Issues in OfferLibraries.sol
Summary
The Solidity code in OfferLibraries.sol contains functions getDepositAmount and getRefundAmount that potentially suffer from division by zero vulnerabilities and lack of comprehensive input validation. These issues could lead to unexpected behavior and logical errors in the contract's execution.
Vulnerability Details
Division by Zero:
The functions use
Math.mulDiv, which performs division. If the divisor values (_pointsandConstants.COLLATERAL_RATE_DECIMAL_SCALER) are zero, it could cause a division by zero error, leading to a contract failure.
-
Lack of Input Validation:
Inputs such as
_amount,_points,_usedPoints, and_collateralRateare not validated to ensure they are within acceptable ranges. This could result in logical errors or unexpected behavior.Specifically,
_usedPointsshould be checked to ensure it is not greater than_points, and_collateralRateshould be validated to be greater than zero to prevent any misuse.
Impact
The identified vulnerabilities could lead to:
Contract failures due to division by zero errors.
Logical errors and unexpected behavior if inputs are not properly validated.
Potential exploitation by malicious users to manipulate refund and deposit calculations.
Tools Used
Manual Review
Recommendations
Add Input Validation:
Include
requirestatements to validate that_points,_collateralRate, andConstants.COLLATERAL_RATE_DECIMAL_SCALERare greater than zero.Ensure
_usedPointsdoes not exceed_pointsto prevent logical inconsistencies.
-
Ensure Division Safety:
Validate all divisor values before performing division to ensure they are non-zero, preventing division by zero errors.
// SPDX-License-Identifier: GPL-2.0-or-laterimport "@openzeppelin/contracts/utils/math/Math.sol";import {OfferType} from "../interfaces/IPerMarkets.sol";import {Constants} from "../libraries/Constants.sol";library OfferLibraries {function getDepositAmount(OfferType _offerType,uint256 _collateralRate,uint256 _amount,bool _isMaker,Math.Rounding _rounding) internal pure returns (uint256) {require(_amount > 0, "Amount must be greater than zero");require(_collateralRate > 0, "Collateral rate must be greater than zero");require(Constants.COLLATERAL_RATE_DECIMAL_SCALER > 0, "Scaler must be greater than zero");if (_offerType == OfferType.Bid && _isMaker) {return _amount;}if (_offerType == OfferType.Ask && !_isMaker) {return _amount;}return Math.mulDiv(_amount,_collateralRate,Constants.COLLATERAL_RATE_DECIMAL_SCALER,_rounding);}function getRefundAmount(OfferType _offerType,uint256 _amount,uint256 _points,uint256 _usedPoints,uint256 _collateralRate) internal pure returns (uint256) {require(_amount > 0, "Amount must be greater than zero");require(_points > 0, "Points must be greater than zero");require(_usedPoints <= _points, "Used points must be less than or equal to total points");require(_collateralRate > 0, "Collateral rate must be greater than zero");require(Constants.COLLATERAL_RATE_DECIMAL_SCALER > 0, "Scaler must be greater than zero");uint256 usedAmount = Math.mulDiv(_amount,_usedPoints,_points,Math.Rounding.Ceil);if (_offerType == OfferType.Bid) {return _amount - usedAmount;}return Math.mulDiv(_amount - usedAmount,_collateralRate,Constants.COLLATERAL_RATE_DECIMAL_SCALER,Math.Rounding.Floor);}}
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.