Hello,
I've been checking some code with slither and it has thrown me a red exploit, regarding openzeppelin Math.sol. I'm using v5.2.0 and this is the exploit:
INFO:Detectors:
Math.mulDiv(uint256,uint256,uint256) (lib/openzeppelin-contracts/contracts/utils/math/Math.sol#144-223) has bitwise-xor operator ^ instead of the exponentiation operator **:
- inverse = (3 * denominator) ^ 2 (lib/openzeppelin-contracts/contracts/utils/math/Math.sol#205)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-exponentiation
I have been "arguing" with Grok about this and Grok also suggest me that this is a bug. It says that there should be ** instead of ^. Line is 116:
// Invert denominator mod 2^256. Now that denominator is an odd number, it has an inverse modulo 2^256 such
// that denominator * inv = 1 mod 2^256. Compute the inverse by starting with a seed that is correct for
// four bits. That is, denominator * inv = 1 mod 2^4.
uint256 inverse = (3 * denominator) ^ 2;
In other versions is the same, but maybe different line.
Is Grok wrong? As I read comment above 116 line it doesn't seems like this should be XOR rather really **.
Best regards,
Tomo