LibConvert Static Analysis Findings

LibConvert Static Analysis Findings

LCT-01S: Inexistent Usage of SafeMath

Description:

The linked addition of total beans converted is not performed safely.

Example:

protocol/contracts/libraries/LibConvert.sol
24function sellToPegAndAddLiquidity(uint256 beans, uint256 minLP)
25    internal
26    returns (uint256 lp, uint256 beansConverted)
27{
28    (uint256 ethReserve, uint256 beanReserve) = reserves();
29    uint256 maxSellBeans = beansToPeg(ethReserve, beanReserve);
30    require(maxSellBeans > 0, "Convert: P must be > 1.");
31    uint256 sellBeans = calculateSwapInAmount(beanReserve, beans);
32    if (sellBeans > maxSellBeans) sellBeans = maxSellBeans;
33

34    (uint256 beansSold, uint256 wethBought) = LibMarket._sell(sellBeans, 1, address(this));
35    (beansConverted,, lp) = LibMarket._addLiquidityWETH(wethBought,beans.sub(beansSold),1,1);
36    require(lp >= minLP, "Convert: Not enough LP.");
37    beansConverted = beansConverted + beansSold;
38}

Recommendation:

We advise the operation to be performed safely by utilising the add member of the SafeMath library similarly to the removed beans calculation in the ensuing function.

Alleviation:

The linked calculation is now safely performed by the relevant SafeMath function.

View Fix on GitHub

Prev

InitHotFix4.sol (PRC-S)

Next

LibMarket.sol (LMT-S)

On this page

Navigated to LibConvert Static Analysis Findings