DFP-1: Silent Truncation on int224 Cast without Bounds Checks

acenolaza · acenolaza · commit 94ae5e9f315f · 2025-06-16T19:21:24.000-03:00
diff --git a/contracts/InverseApi3ReaderProxyV1.sol b/contracts/InverseApi3ReaderProxyV1.sol
@@ -24,10 +24,7 @@ contract InverseApi3ReaderProxyV1 is IInverseApi3ReaderProxyV1 {
     }
 
     /// @notice Returns the inverted value of the underlying IApi3ReaderProxy
-    /// @dev This inverts the 18-decimal fixed-point value using 1e36 / value.
-    /// The operation will revert if `baseValue` is zero (division by zero) or if
-    /// `baseValue` is so small (yet non-zero) that the resulting inverted value
-    /// would overflow the `int224` type.
+    /// @dev The operation will revert if `baseValue` is zero (division by zero).
     /// @return value Inverted value of the underlying proxy
     /// @return timestamp Timestamp of the underlying proxy
     function read()
@@ -39,7 +36,7 @@ contract InverseApi3ReaderProxyV1 is IInverseApi3ReaderProxyV1 {
         (int224 baseValue, uint32 baseTimestamp) = IApi3ReaderProxy(proxy)
             .read();
 
-        value = int224((1e36) / int256(baseValue));
+        value = int224(1e36) / baseValue;
         timestamp = baseTimestamp;
     }
 
diff --git a/contracts/NormalizedApi3ReaderProxyV1.sol b/contracts/NormalizedApi3ReaderProxyV1.sol
@@ -45,15 +45,9 @@ contract NormalizedApi3ReaderProxyV1 is INormalizedApi3ReaderProxyV1 {
 
     /// @notice Returns the price of the underlying Chainlink feed normalized to
     /// 18 decimals.
-    /// @dev Fetches an `int256` answer from the Chainlink feed and scales it
-    /// to 18 decimals using pre-calculated factors. The result is cast to
-    /// `int224` to conform to the `IApi3ReaderProxy` interface.
-    /// IMPORTANT: If the normalized `int256` value is outside the `int224`
-    /// range, this cast causes silent truncation and data loss. Deployers
-    /// must verify that the source feed's characteristics (value magnitude
-    /// and original decimals) ensure the 18-decimal normalized value fits
-    /// `int224`. Scaling arithmetic (prior to cast) reverts on `int256`
-    /// overflow.
+    /// @dev Fetches and scales the Chainlink feed's `int256` answer.
+    /// The scaled `int256` result is then cast to `int224`. This cast is
+    /// unchecked for gas optimization and may silently truncate.
     /// @return value The normalized signed fixed-point value with 18 decimals
     /// @return timestamp The updatedAt timestamp of the feed
     function read()
diff --git a/contracts/ProductApi3ReaderProxyV1.sol b/contracts/ProductApi3ReaderProxyV1.sol
@@ -33,9 +33,13 @@ contract ProductApi3ReaderProxyV1 is IProductApi3ReaderProxyV1 {
 
     /// @notice Returns the current value and timestamp of the rate composition
     /// between two IApi3ReaderProxy proxies by multiplying their values
-    /// @dev There is a risk of multiplication overflowing if the result exceeds
-    /// `int256` bounds. The returned timestamp is `block.timestamp`, marking
-    /// when this newly derived product value was computed on-chain.
+    /// @dev Calculates product as `(int256(value1) * int256(value2)) / 1e18`.
+    /// The initial multiplication `int256(value1) * int256(value2)` will revert
+    /// on `int256` overflow. The final `int256` result of the full expression
+    /// is then cast to `int224`. This cast is unchecked for gas optimization
+    /// and may silently truncate if the result exceeds `int224` limits.
+    /// The returned timestamp is `block.timestamp`, marking when this newly
+    /// derived product value was computed on-chain.
     /// Timestamps from underlying `IApi3ReaderProxy` feeds are not aggregated.
     /// Their diverse nature (see `IApi3ReaderProxy` interface for details like
     /// off-chain origins or varying update cadences) makes aggregation complex
