Description

The contract specifies its version to be pragma solidity >=0.4.25 <0.9.0. This means the contract can be compiled with a version of Solidity that does not perform checked math.

Impact

It is worth noting that while previous versions of Solidity (up to and including 0.7.x) did not automatically check for overflow and underflow, it was still possible to manually check for and handle such scenarios. However, in the ETH and ERC20 Wasabi pools, balance subtractions such as balance -= optionData.strikePrice were not properly guarded against underflow scenarios, which could result in a user's available balance being artificially inflated.

Starting with Solidity version 0.8.x, the compiler performs automatic overflow and underflow checks, helping to prevent these kinds of issues. Therefore, it is recommended to use the latest version of Solidity and follow best practices for safe arithmetic operations to avoid potential issues with underflow and overflow.

Recommendations

We recommend version locking to 0.8.x version.

Remediation

This issue has been acknowledged by Wasabi, and a fix was implemented in commit 63ab20b9↗.