[Audit Fix] `ElasticMath.capitalDelta` missing `SafeMath.sub` use

Question

[Audit Fix] `ElasticMath.capitalDelta` missing `SafeMath.sub` use

Closed this issue 4 years ago · 0 comments

dmvt commented 4 years ago

Use of Safemath.sub is missing in the function join, call to ElasticMath.capitalDelta

Risk Rating

1 (low)

Vulnerability Details

A subtraction is made without using Safemath in the call to function ElasticMath.capitalDelta:

ElasticDAO.sol:

function join(uint256 _deltaLambda)
    uint256 capitalDelta =
      ElasticMath.capitalDelta(
        // the current totalBalance of the DAO is inclusive of msg.value,
        // capitalDelta is to be calculated without the msg.value
        address(this).balance - msg.value,
        tokenContract.totalSupply()
      );

Impact

Although in practice this will not result in a negative value, this happens to be one of the more dangerous points because ETH is being handled here.

Tools Used

Remix

Recommended Mitigation Steps

Use Safemath.sub

Definition of Done

above code uses SafeMath.sub