[Ethereum] How does the SafeMath library of OpenZeppelin protect your code from integer overflow

openzeppelinsolidity

Sorry for the newb question. I am reading the SafeMath code and it seems that it just does some multiplications and calculations?

How do you use it to protect your code? Do you just import it?

Best Answer

How do you use it to protect your code?

Functions of SafeMath check logic conditions of math operations.

function sub(uint256 a, uint256 b...
   assert(b <= a); // otherwise, subtracting b when (b > a) will cause integer underflow

function add(uint256 a, uint256 b...
    uint256 c = a + b;
    assert(c >= a); // if the addition will cause overflow, the values will start from 0 and c will be less than a

Do you just import it?

Three steps are required to correctly implement SafeMath in your contract:

Import the library at the top of your code.
Declare that you wish to attach the library functions to the uint256 type:

using SafeMath for uint256;
Replace each of the standard arithmetic operators in your code with the equivalent call to a SafeMath function:
- a + b becomes a.add(b)
- a - b becomes a.sub(b)
- a * b becomes a.mul(b)
- a / b becomes a.div(b)

If you omit the last step, as seems to be quite common when people are first starting out with smart contracts, then your code receives no protection whatsoever from overflows/underflows. It is just the same as if you had not included SafeMath at all. This can be verified by testing the following code:

import "./SafeMath.sol";

contract TestSafeMath {
    using SafeMath for uint256;

    function unsafeSubtract() public pure returns (uint256) {
        uint256 a = 0;
        return a - 1;
    }

    function safeSubtract() public pure returns (uint256) {
        uint256 a = 0;
        return a.sub(1);
    }
}

Even though the library has been imported, and the using statement declared, calling the first function will still return the enormously large integer value 115792089237316195423570985008687907853269984665640564039457584007913129639935, or hex FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, whereas the second function will correctly throw an exception to prevent the underflow.

Update 10:33 Oct 14 2016

I have set up my private blockchain using the following procedures:

1. Setup genesis.json

Wocket:ESE bok$ more genesis.json 
{
    "config": {
            "homesteadBlock": 10
    },
    "nonce": "0",
    "difficulty": "0x400",
    "mixhash": "0x00000000000000000000000000000000000000647572616c65787365646c6578",
    "coinbase": "0x0000000000000000000000000000000000000000",
    "timestamp": "0x00",
    "parentHash": "0x0000000000000000000000000000000000000000000000000000000000000000",
    "extraData": "0x",
    "gasLimit": "0x3B4A1B44",
    "alloc": {}
}

2. Password file

I created a password file testpassword containing my account password

3. Blockchain Initialisation Script

I created a script to initialise my blockchain:

Wocket:ESE bok$ more 02_runGethGenesisInit 
#!/bin/sh

geth --datadir /Users/bok/ESE/gethgenesis init /Users/bok/ESE/genesis.json
geth --datadir /Users/bok/ESE/gethgenesis --password testpassword account new

And I used chmod 700 02_runGethGenesisInit to set the executable bit.

4. Private Node Script

I created a script to start my private geth node in mining mode:

Wocket:ESE bok$ more 02_runGethGenesis 
#!/bin/sh

geth --datadir /Users/bok/ESE/gethgenesis --unlock 0 --password /Users/bok/ESE/testpassword --rpc --rpccorsdomain '*' --mine --minerthreads 1 console

And I used chmod 700 02_runGethGenesis to set the executable bit.

5. Browser Solidity

I downloaded Browser Solidity from https://github.com/ethereum/browser-solidity/tree/gh-pages.

I unzipped the files and loaded index.html into my web browser.

6. Start it all

I initialised my blockchain data using the following command:

Wocket:ESE bok$ ./02_runGethGenesisInit

I started my node using the following command, and have been running it for a while:

Wocket:ESE bok$ ./02_runGethGenesis
...
I1015 09:56:14.364062 miner/worker.go:342] 🔨  Mined block (#5210 / f881b1be). Wait 5 blocks for confirmation
I1015 09:56:14.364333 miner/worker.go:539] commit new work on block 5211 with 0 txs & 0 uncles. Took 281.474µs
I1015 09:56:14.364360 miner/worker.go:435] 🔨 🔗  Mined 5 blocks back: block #5205
I1015 09:56:14.364492 miner/worker.go:539] commit new work on block 5211 with 0 txs & 0 uncles. Took 114.592µs
I1015 09:56:16.394886 miner/worker.go:342] 🔨  Mined block (#5211 / 420c7edc). Wait 5 blocks for confirmation
I1015 09:56:16.395189 miner/worker.go:539] commit new work on block 5212 with 0 txs & 0 uncles. Took 262.993µs
I1015 09:56:16.395222 miner/worker.go:435] 🔨 🔗  Mined 5 blocks back: block #5206

7. Testing For The Homestead Mode

I loaded the test script by @TjadenHess from How could I update default homesteadBlock value on my private Ethereum blockchain? into Solidity Browser:

contract TestHomestead{
    function test () returns(bool){
        return address(4).delegatecall(1);
    }
}

I connected Solidity Browser to my local private node by clicking on the block icon and selecting Web3 Provider. I then clicked on Create to deploy the contract above to the blockchain. I clicked test and the message Transaction cost: 21657 gas. shows that my blockchain is in Homestead mode.

Note: If I alter the function to make it a constant function test () constant returns(bool){, I get the following results for a Homestead mode blockchain - true:

See section 9. below for the message displayed when the blockchain is in non-Homestead mode.

8. Testing The Library Call Source Code

I've modified the library call source code slightly to make the value variable public, and loaded this into Browser Solidity :

library Library {
    function func () constant returns (uint8) {
        return 5;
    }
}

contract Contract {
    uint8 public value;
    function call_library_function () {
        value = Library.func();
    }
}

I clicked Create to deploy the code, call_library_function to execute the method, and value to view the library call function result:

Success

The message Transaction cost: 41914 gas. and the value of value shows that the library function call succeeded.

9. What Happens When My Node Is In Non-Homestead Mode

I connected Browser Solidity with a geth --dev blockchain:

geth --dev --datadir /Users/bok/ESE/gethdata --unlock 0 --password /Users/bok/ESE/testpassword --rpc --rpccorsdomain '*' --mine --minerthreads 1 console

I ran the same Homestead test code to produce the message Gas required exceeds limit: 50000000 showing that this --dev blockchain is in non-Homestead mode:

Note: If I alter the function to make it a constant function test () constant returns(bool){, I get the following results for a non-Homestead mode blockchain - false:

OpenZeppelin – How to Use SafeERC20.sol for Beginners

You need to install the OpenZeppelin npm package into your project directory via yarn or npm like:

yarn add @openzeppelin/contracts

npm install --save @openzeppelin/contracts

Then import the SafeERC20.sol from those installed packages like:

import "@openzeppelin/contracts/<route to file>/SafeERC20.sol";

Then, you'll need to use it for IERC20 like:

using SafeERC20 for IERC20;

You don't need to import OpenZeppelin's Address.sol. If it's a dependency for IERC20, it will already be imported implicitly when you import SafeERC20.sol.