Security Snippets: #8

Do you think overflow is not a modern bug? Take a look at this report from Panoptic contest.

Panoptic is a permissionless options trading protocol. It enables the trading of perpetual options on top of any Uniswap V3 pool.

In the mint function user-controlled shares parameter goes right away to the previewMint function which then calculates required assets in unchecked block. If the shares value is high enough, overflow in shares * DECIMALS will occur, and assets will be very low.

function previewMint(uint shares) public view returns (uint assets) {
 unchecked {
 assets = Math.mulDivRoundingUp(
 shares * DECIMALS, totalAssets(), totalSupply * (DECIMALS - COMMISSION_FEE)
 );
 }
}

function mint(uint shares, address receiver) external returns (uint assets) {
 assets = previewMint(shares);
 if (assets > type(uint104).max) revert Errors.DepositTooLarge();
 ...
}

This report shows us the importance of arguments and unchecked block validation during each audit iteration. Read the full report here:

Link: https://code4rena.com/reports/2024-04-panoptic#h-02-overflow-in-collateraltracker-allows-minting-shares-for-free