FV-SOL-3 Arithmetic Errors

TLDR

Arithmetic-related security vulnerabilities primarily stem from issues with numeric operations, particularly when they handle unexpected values or edge cases

Code

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

contract OverflowExample {
    uint256 public count = 2**256 - 1;

    function increment() public {
        count += 1; // This will overflow and wrap to 0
    }
}

Classifications

FV-SOL-3-C1 Overflow and Underflow

FV-SOL-3-C2 Sign Extension

FV-SOL-3-C3 Truncation in Type Casting

FV-SOL-3-C4 Misuse of Environment Variables

Mitigation Patterns

Update Solidity Version (FV-SOL-3-M1)

Solidity 0.8+ offers built-In Overflow and Underflow protection

Using Established Math Libraries (FV-SOL-3-M2)

Complex calculations should be using hard work premade in trusted math libraries available

Unit Testing on Edge Cases (FV-SOL-3-M3)

Write tests for edge cases, such as small or very large values, fractions close to rounding boundaries, zero values, and more.

Actual Occurrences

• https://solodit.cyfrin.io/issues/h-06-incorrect-solidity-version-in-fullmathsol-can-cause-permanent-freezing-of-assets-for-arithmetic-underflow-induced-revert-code4rena-good-entry-good-entry-git

Content