Omniscia Maverick Protocol Audit
Math Manual Review Findings
Math Manual Review Findings
MHT-01M: Potentially Insecure Casting Operation
| Type | Severity | Location |
|---|---|---|
| Mathematical Operations |  | Math.sol:L261 |
Description:
The Math::floorD8 function will floor an 8-decimal accuracy number, performing the division with rounding towards negative infinity.
In its operation, an insecure cast is being performed from the val / INT_ONE_D8 expression's int256 type to the int32 data type.
Example:
254/**255 * @notice Floor of a D8 number.256 */257function floorD8(int256 val) internal pure returns (int32) {258 int32 val32;259 bool check;260 unchecked {261 val32 = int32(val / INT_ONE_D8);262 check = (val < 0 && val % INT_ONE_D8 != 0);263 }264 return check ? val32 - 1 : val32;265}Recommendation:
The invocations of Math::floorD8 within the codebase are secure given that they are performed with TWAPs that are expected to comply to strict value limitations significantly less than (type(uint32).max + 1) * INT_ONE_D8.
In any case, we advise a check to be potentially imposed as the Math library is meant to be re-usable code that may end up being utilized by future Maverick Protocol modules that are not aware of this misbehaviour.
Alleviation (175f8c39b19df69134add3aa8a2a042ce3047763):
The function's name was instead adjusted to Math::floorD8Unchecked, highlighting its unchecked nature and thus addressing this exhibit by minimizing the possibility of misuse in future iterations of the codebase.
MHT-02M: Potentially Insecure Negations
| Type | Severity | Location |
|---|---|---|
| Mathematical Operations | | Math.sol:L177-L181, L183-L187 |
Description:
The Math::abs32 and Math::abs functions presently perform a negation within an unchecked code block.
As signed integer types will contain one extra value in the negative range, the negation may result in an overflow if it is equal to the minimum value its type supports.
Example:
177function abs32(int32 x) internal pure returns (uint32) {178 unchecked {179 return uint32(x < 0 ? -x : x);180 }181}182
183function abs(int256 x) internal pure returns (uint256) {184 unchecked {185 return uint256(x < 0 ? -x : x);186 }187}Recommendation:
The instances of the codebase that utilize the Math::abs32 and Math::abs functions deal with ticks which are expected to be in suitable ranges that will never overflow in a negation.
Regardless, we advise a check to be potentially imposed as the Math library is meant to be re-usable code that may end up being utilized by future Maverick Protocol modules that are not aware of this misbehaviour.
Alleviation (175f8c39b19df69134add3aa8a2a042ce3047763):
The Maverick Protocol team evaluated this exhibit and opted to retain the current behaviour in place as it functions as expected even in the case of a negation underflow due to the underlying bit representation being valid.
As such, we consider this exhibit safely acknowledged.