[Audit Fix] revert wmul on 0 response

Question

[Audit Fix] revert wmul on 0 response

Closed this issue 4 years ago · 1 comments

wmul of of two positive numbers can result in zero.

Risk Rating

Impact = High Likelihood = High Risk = Critical (per OWASP)

Vulnerability Details

ElasticMath functions wmul and wdiv for float values are inspired by https://github.com/dapphub/ds-math/blob/master/src/math.sol as noted in the code comment. But that contract has a critical issue as noted in their repository from Oct 2019: dapphub/ds-math#13.

The critical error (as raised by the issue) is that the wmul multiplication of two positive numbers a and b can result in zero for every a,b > 0 and b < 5*10^17 / a. For e.g., wmul(1,1) returns 0.
Impact

Given that wmul is used for all the critical math operations on the tokens, it can produce unexpected results when the operands a and b are positive integers because wmul will return 0.

Proof of Concept

https://github.com/elasticdao/code-contests/blob/e643cce4bbec683765e3b9a1ab576542ac61000f/contests/02-elasticdao/contracts/libraries/ElasticMath.sol#L138-L148

Extracting this function and testing in Remix confirms that wmul(1,1) returns 0.

Definition of Done

revert when wmul returns 0
there is a test showing this using the proof of concept case

Answer 1 · 2021-03-10T19:08:55.000Z

This issue is invalid, as confirmed by @smalldutta here: https://gist.github.com/smalldutta/51a9836b223277f1595467ad81f27737