fix: Add safecast on MathUtils::signedSub function (#1071)

Author: yan-man

snapshots/Hub.Operations.json

@@ -11,7 +11,7 @@
   "remove: partial": "81640",
   "reportDeficit": "115225",
   "restore: full": "80471",
-  "restore: full - with transfer": "173377",
+  "restore: full - with transfer": "173521",
   "restore: partial": "89137",
   "restore: partial - with transfer": "147400",
   "transferShares": "71192"

snapshots/NativeTokenGateway.Operations.json

@@ -1,6 +1,6 @@
 {
-  "borrowNative": "229316",
-  "repayNative": "168024",
+  "borrowNative": "229604",
+  "repayNative": "168312",
   "supplyAsCollateralNative": "160373",
   "supplyNative": "136476",
   "withdrawNative: full": "125620",

snapshots/SignatureGateway.Operations.json

@@ -1,6 +1,6 @@
 {
-  "borrowWithSig": "215605",
-  "repayWithSig": "188872",
+  "borrowWithSig": "215893",
+  "repayWithSig": "189160",
   "setSelfAsUserPositionManagerWithSig": "75402",
   "setUsingAsCollateralWithSig": "85053",
   "supplyWithSig": "153205",

snapshots/Spoke.Operations.ZeroRiskPremium.json

@@ -1,15 +1,15 @@
 {
   "borrow: first": "191325",
   "borrow: second action, same reserve": "171297",
-  "liquidationCall (receiveShares): full": "300103",
-  "liquidationCall (receiveShares): partial": "299821",
-  "liquidationCall: full": "310468",
-  "liquidationCall: partial": "310186",
-  "permitReserve + repay (multicall)": "166029",
+  "liquidationCall (receiveShares): full": "300391",
+  "liquidationCall (receiveShares): partial": "300109",
+  "liquidationCall: full": "310756",
+  "liquidationCall: partial": "310474",
+  "permitReserve + repay (multicall)": "166317",
   "permitReserve + supply (multicall)": "146862",
   "permitReserve + supply + enable collateral (multicall)": "160573",
-  "repay: full": "126094",
-  "repay: partial": "130983",
+  "repay: full": "126382",
+  "repay: partial": "131271",
   "setUserPositionManagerWithSig: disable": "44846",
   "setUserPositionManagerWithSig: enable": "68875",
   "supply + enable collateral (multicall)": "140624",

snapshots/Spoke.Operations.json

@@ -1,15 +1,15 @@
 {
-  "borrow: first": "261721",
-  "borrow: second action, same reserve": "204693",
-  "liquidationCall (receiveShares): full": "333666",
-  "liquidationCall (receiveShares): partial": "333384",
-  "liquidationCall: full": "344031",
-  "liquidationCall: partial": "343749",
-  "permitReserve + repay (multicall)": "163273",
+  "borrow: first": "262009",
+  "borrow: second action, same reserve": "204981",
+  "liquidationCall (receiveShares): full": "334242",
+  "liquidationCall (receiveShares): partial": "333960",
+  "liquidationCall: full": "344607",
+  "liquidationCall: partial": "344325",
+  "permitReserve + repay (multicall)": "163504",
   "permitReserve + supply (multicall)": "146862",
   "permitReserve + supply + enable collateral (multicall)": "160573",
-  "repay: full": "120256",
-  "repay: partial": "139545",
+  "repay: full": "120544",
+  "repay: partial": "139833",
   "setUserPositionManagerWithSig: disable": "44846",
   "setUserPositionManagerWithSig: enable": "68875",
   "supply + enable collateral (multicall)": "140624",
@@ -18,16 +18,16 @@
   "supply: second action, same reserve": "106579",
   "updateUserDynamicConfig: 1 collateral": "73694",
   "updateUserDynamicConfig: 2 collaterals": "88551",
-  "updateUserRiskPremium: 1 borrow": "151080",
-  "updateUserRiskPremium: 2 borrows": "204276",
+  "updateUserRiskPremium: 1 borrow": "151368",
+  "updateUserRiskPremium: 2 borrows": "204852",
   "usingAsCollateral: 0 borrows, enable": "58915",
-  "usingAsCollateral: 1 borrow, disable": "161348",
+  "usingAsCollateral: 1 borrow, disable": "161636",
   "usingAsCollateral: 1 borrow, enable": "41803",
-  "usingAsCollateral: 2 borrows, disable": "233712",
+  "usingAsCollateral: 2 borrows, disable": "234288",
   "usingAsCollateral: 2 borrows, enable": "41815",
   "withdraw: 0 borrows, full": "128910",
   "withdraw: 0 borrows, partial": "133473",
-  "withdraw: 1 borrow, partial": "214810",
-  "withdraw: 2 borrows, partial": "259272",
+  "withdraw: 1 borrow, partial": "215098",
+  "withdraw: 2 borrows, partial": "259848",
   "withdraw: non collateral": "106544"
 }

src/libraries/math/MathUtils.sol

@@ -2,9 +2,13 @@
 // Copyright (c) 2025 Aave Labs
 pragma solidity ^0.8.20;
 
+import {SafeCast} from 'src/dependencies/openzeppelin/SafeCast.sol';
+
 /// @title MathUtils library
 /// @author Aave Labs
 library MathUtils {
+  using SafeCast for uint256;
+
   uint256 internal constant RAY = 1e27;
   /// @dev Ignoring leap years
   uint256 internal constant SECONDS_PER_YEAR = 365 days;
@@ -50,9 +54,8 @@ library MathUtils {
   }
 
   /// @notice Returns the difference of two unsigned integers as a signed integer.
-  /// @dev Does not ensure the `a` and `b` values are within the range of a signed integer.
   function signedSub(uint256 a, uint256 b) internal pure returns (int256) {
-    return int256(a) - int256(b);
+    return a.toInt256() - b.toInt256();
   }
 
   /// @notice Returns the difference of two unsigned integers.

tests/unit/MathUtils.t.sol

@@ -127,6 +127,15 @@ contract MathUtilsTest is Base {
     assertTrue(result <= INT256_MAX);
   }
 
+  function test_signedSub_revertsWith_SafeCastOverflowedUintToInt(uint256 a) public {
+    a = bound(a, uint256(INT256_MAX) + 1, UINT256_MAX);
+    vm.expectRevert(abi.encodeWithSelector(SafeCast.SafeCastOverflowedUintToInt.selector, a));
+    MathUtils.signedSub(a, 0);
+
+    vm.expectRevert(abi.encodeWithSelector(SafeCast.SafeCastOverflowedUintToInt.selector, a));
+    MathUtils.signedSub(0, a);
+  }
+
   function test_uncheckedSub(uint256 a, uint256 b) public pure {
     uint256 result = a >= b ? a - b : UINT256_MAX - b + a + 1;
     assertEq(MathUtils.uncheckedSub(a, b), result);