fix: Optimizer.sol base class only guards slots 0 and 1 (#968)

Replace the two per-slot require checks with a loop over all 8 input slots so future subclasses using slots 2-7 are protected from silent uint256 wrap. Add testCalculateParamsRevertsOnNegativeMantissaSlots2to7 to verify the guard. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-18 18:24:18 +00:00 · 2026-03-18 18:24:18 +00:00 · 28ce5ec8cd
commit 28ce5ec8cd
parent b30e3a8d51
2 changed files with 15 additions and 2 deletions
--- a/onchain/src/Optimizer.sol
+++ b/onchain/src/Optimizer.sol
@ -370,8 +370,9 @@ contract Optimizer is Initializable, UUPSUpgradeable, IOptimizer {
        returns (uint256 capitalInefficiency, uint256 anchorShare, uint24 anchorWidth, uint256 discoveryDepth)
    {
        // Guard against negative mantissa — uint256() cast silently wraps negatives.
-        require(inputs[0].mantissa >= 0, "negative mantissa");
-        require(inputs[1].mantissa >= 0, "negative mantissa");
+        for (uint256 k; k < 8; k++) {
+            require(inputs[k].mantissa >= 0, "negative mantissa");
+        }
        // Extract slots 0 and 1 (shift=0 assumed — mantissa IS the value)
        uint256 percentageStaked = uint256(inputs[0].mantissa);
        uint256 averageTaxRate = uint256(inputs[1].mantissa);