Arithmetic overflow leading to DOS
Description
The Uniswap code explicitly allows arithmetic overflows in the _update
function. Arithmetic overflows are allowed when calculating the new value of the price0CumulativeLast
and price1CumulativeLast
accumulator variables.
Since Facet Swap code targets a modern version of Solidity, which uses checked arithmetic operations by default, the _update
function does not allow arithmetic overflows and behaves differently from the UniswapV2 code.
Impact
Without allowing overflows, all pair contracts will eventually reach a state of permanent denial of service, since the price0CumulativeLast
and price1CumulativeLast
variables only ever increase.
When their value grows to a point where any attempt to update them causes an overflow, all functions of the contract that directly or indirectly invoke _update
will revert.
The DOS can be recovered by upgrading the contracts.
Recommendations
Allow the specific arithmetic operations intended by the UniswapV2 to overflow silently by using unchecked
blocks.
Remediation
This issue has been acknowledged by 0xFacet, and a fix was implemented in commit 47318a0b↗.