Summary

The Solidity code in OfferLibraries.sol contains functions getDepositAmount and getRefundAmount that potentially suffer from division by zero vulnerabilities and lack of comprehensive input validation. These issues could lead to unexpected behavior and logical errors in the contract's execution.

Vulnerability Details

Division by Zero:

• The functions use Math.mulDiv, which performs division. If the divisor values (_points and Constants.COLLATERAL_RATE_DECIMAL_SCALER) are zero, it could cause a division by zero error, leading to a contract failure.

• Lack of Input Validation:

  • Inputs such as _amount, _points, _usedPoints, and _collateralRate are not validated to ensure they are within acceptable ranges. This could result in logical errors or unexpected behavior.

  • Specifically, _usedPoints should be checked to ensure it is not greater than _points, and _collateralRate should be validated to be greater than zero to prevent any misuse.

Impact

The identified vulnerabilities could lead to:

• Contract failures due to division by zero errors.

• Logical errors and unexpected behavior if inputs are not properly validated.

• Potential exploitation by malicious users to manipulate refund and deposit calculations.

Tools Used

Manual Review

Recommendations

Add Input Validation:

• Include require statements to validate that _points, _collateralRate, and Constants.COLLATERAL_RATE_DECIMAL_SCALER are greater than zero.

• Ensure _usedPoints does not exceed _points to prevent logical inconsistencies.

• Ensure Division Safety:

  • Validate all divisor values before performing division to ensure they are non-zero, preventing division by zero errors.

  // SPDX-License-Identifier: GPL-2.0-or-later

  pragma solidity ^0.8.13;

  ​

  import "@openzeppelin/contracts/utils/math/Math.sol";

  import {OfferType} from "../interfaces/IPerMarkets.sol";

  import {Constants} from "../libraries/Constants.sol";

  ​

  library OfferLibraries {

  function getDepositAmount(

  OfferType _offerType,

  uint256 _collateralRate,

  uint256 _amount,

  bool _isMaker,

  Math.Rounding _rounding

  ) internal pure returns (uint256) {

  require(_amount > 0, "Amount must be greater than zero");

  require(_collateralRate > 0, "Collateral rate must be greater than zero");

  require(Constants.COLLATERAL_RATE_DECIMAL_SCALER > 0, "Scaler must be greater than zero");

  ​

  if (_offerType == OfferType.Bid && _isMaker) {

  return _amount;

  }

  ​

  if (_offerType == OfferType.Ask && !_isMaker) {

  return _amount;

  }

  ​

  return Math.mulDiv(

  _amount,

  _collateralRate,

  Constants.COLLATERAL_RATE_DECIMAL_SCALER,

  _rounding

  );

  }

  ​

  function getRefundAmount(

  OfferType _offerType,

  uint256 _amount,

  uint256 _points,

  uint256 _usedPoints,

  uint256 _collateralRate

  ) internal pure returns (uint256) {

  require(_amount > 0, "Amount must be greater than zero");

  require(_points > 0, "Points must be greater than zero");

  require(_usedPoints <= _points, "Used points must be less than or equal to total points");

  require(_collateralRate > 0, "Collateral rate must be greater than zero");

  require(Constants.COLLATERAL_RATE_DECIMAL_SCALER > 0, "Scaler must be greater than zero");

  ​

  uint256 usedAmount = Math.mulDiv(

  _amount,

  _usedPoints,

  _points,

  Math.Rounding.Ceil

  );

  ​

  if (_offerType == OfferType.Bid) {

  return _amount - usedAmount;

  }

  ​

  return Math.mulDiv(

  _amount - usedAmount,

  _collateralRate,

  Constants.COLLATERAL_RATE_DECIMAL_SCALER,

  Math.Rounding.Floor

  );

  }

  }

  ​