RocketNetworkFees.sol compiles with Solidity 0.7.6, which doesn't have built-in overflow protection. The contract uses SafeMath for add/sub/mul/div, but the exponentiation operator ** on line 72 isn't covered by SafeMath:
uint256 t = nNodeDemand.div(demandDivisor) ** 3;
** in Solidity 0.7.x wraps on overflow without reverting. In the current configuration the intermediate values are small enough that this doesn't overflow in practice, but if demandDivisor were ever adjusted through governance to a significantly smaller value, the cube could silently wrap and produce a tiny t, which would send the fee interpolation to the wrong end of the curve.
The fix would be checking for overflow manually before the exponentiation, or using a library like ABDKMathQuad / PRBMath that handles ** safely. Since 0.7.6 doesn't have native unchecked blocks, something like:
uint256 base = nNodeDemand.div(demandDivisor);
uint256 t = base * base * base;
require(t / base / base == base, "overflow");
Or just bumping to Solidity 0.8+ for the built-in overflow checks on ** as well.
RocketNetworkFees.solcompiles with Solidity 0.7.6, which doesn't have built-in overflow protection. The contract uses SafeMath for add/sub/mul/div, but the exponentiation operator**on line 72 isn't covered by SafeMath:**in Solidity 0.7.x wraps on overflow without reverting. In the current configuration the intermediate values are small enough that this doesn't overflow in practice, but ifdemandDivisorwere ever adjusted through governance to a significantly smaller value, the cube could silently wrap and produce a tinyt, which would send the fee interpolation to the wrong end of the curve.The fix would be checking for overflow manually before the exponentiation, or using a library like
ABDKMathQuad/PRBMaththat handles**safely. Since 0.7.6 doesn't have nativeuncheckedblocks, something like:Or just bumping to Solidity 0.8+ for the built-in overflow checks on
**as well.