pkqs90 - SolidlyV3AMO boostPrice() may overflow.

[sherlock-admin2]

pkqs90

Medium

SolidlyV3AMO boostPrice() may overflow.

Summary

SolidlyV3AMO boostPrice() may overflow.

Root Cause

In the first if-branch, the price is calculated by (10 ** (boostDecimals - usdDecimals + PRICE_DECIMALS) * sqrtPriceX96 ** 2) / Q96 ** 2.

Since boostDecimals - usdDecimals == 12, in an extreme case if boost/USD is larger than 1e8, this would overflow. Because 1e8 * 1e12 * 2**192 > 2**256

    function boostPrice() public view override returns (uint256 price) {

        (uint160 _sqrtPriceX96, , , ) = ISolidlyV3Pool(pool).slot0();
        uint256 sqrtPriceX96 = uint256(_sqrtPriceX96);
        
        if (boost < usd) {
@>          price = (10 ** (boostDecimals - usdDecimals + PRICE_DECIMALS) * sqrtPriceX96 ** 2) / Q96 ** 2;
        } else {
            if (sqrtPriceX96 >= Q96) {
                price = 10 ** (boostDecimals - usdDecimals + PRICE_DECIMALS) / (sqrtPriceX96 ** 2 / Q96 ** 2);
            } else {
                price = (10 ** (boostDecimals - usdDecimals + PRICE_DECIMALS) * Q96 ** 2) / sqrtPriceX96 ** 2;
            }
        }
    }

• https://github.com/sherlock-audit/2024-10-axion/blob/main/liquidity-amo/contracts/SolidlyV3AMO.sol#L347

Internal pre-conditions

N/A

External pre-conditions

N/A

Attack Path

N/A

Impact

boostPrice() may overflow for SolidlyV3AMO, and related features would brick, e.g. mintSellFarm(), unfarmBuyBurn().

PoC

N/A

Mitigation

Use FullMath (like UniswapV3).