Skip to content
This repository has been archived by the owner on Sep 8, 2024. It is now read-only.

giraffe - _update will overflow and break all contract functionality #47

Closed
sherlock-admin2 opened this issue Mar 5, 2024 · 0 comments
Closed

giraffe - _update will overflow and break all contract functionality #47

sherlock-admin2 opened this issue Mar 5, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Mar 5, 2024
edited by sherlock-admin4
Loading

giraffe

high

_update will overflow and break all contract functionality

Summary

In JalaPair.sol, _update() increments price0CumulativeLast and price1CumulativeLast which are ever-increaasing variables. At some point this will overflow, always revert and break all contract functionality.

Vulnerability Detail

In Jalapair.sol, this is the _update() function:

// update reserves and, on the first call per block, price accumulators
    function _update(uint256 balance0, uint256 balance1, uint112 _reserve0, uint112 _reserve1) private {
        if (balance0 > type(uint112).max || balance1 > type(uint112).max) revert Overflow();
        uint32 blockTimestamp = uint32(block.timestamp % 2 ** 32);
        uint32 timeElapsed = blockTimestamp - blockTimestampLast; // overflow is desired
        if (timeElapsed > 0 && _reserve0 != 0 && _reserve1 != 0) {
            // * never overflows, and + overflow is desired
            price0CumulativeLast += uint256(UQ112x112.encode(_reserve1).uqdiv(_reserve0)) * timeElapsed;
            price1CumulativeLast += uint256(UQ112x112.encode(_reserve0).uqdiv(_reserve1)) * timeElapsed;
        }
        reserve0 = uint112(balance0);
        reserve1 = uint112(balance1);
        blockTimestampLast = blockTimestamp;
        emit Sync(reserve0, reserve1);
    }

This is an exact replica of Uniswap V2 which begs the question why Uniswap doesn't face the same issue.

The reason is because Uniswap V2 uses an older version of Solidity (0.5.16) where overflow does not revert. This is intentional as stated in the code comments that overflow by addition is desired.

However, for Jalaswap this desired overflow cannot happen as it uses a newer version of Solidity (^0.8.0) where overflows are caught and reverted.

This article from Rareskills discusses this bug exactly and states that "Correct modern implementations of the price oracle need to use the unchecked block to ensure everything overflows as expected."

Impact

_update() is called after every contract function (mint, burn swap, sync). So all contract functionality will be broken.

Code Snippet

https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaPair.sol#L100

Tool used

Manual Review

Recommendation

Wrap line 100 to 101 in an unchecked block to allow for overflow.

Duplicate of #186
@github-actions github-actions bot closed this as completed Mar 9, 2024
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Mar 9, 2024
@sherlock-admin4 sherlock-admin4 changed the title Fancy Cloth Robin - _update will overflow and break all contract functionality giraffe - _update will overflow and break all contract functionality Mar 18, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Mar 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin4