From 1bbf87a8eb2813282520f001b41f7fda50b41d1c Mon Sep 17 00:00:00 2001
From: Serhat Dolmaci <srhtsrht17@gmail.com>
Date: Fri, 19 Jun 2026 20:51:54 +0300
Subject: [PATCH] fix: add overflow check for unchecked exponentiation in
 getNodeFeeByDemand

The function was using ** 3 on a value that's read from contract storage.
SafeMath doesn't cover exponentiation, so in Solidity 0.7.6 the ** operator
can silently wrap on overflow. Added a manual overflow check after the
cube multiplication.
---
 contracts/contract/network/RocketNetworkFees.sol | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/contracts/contract/network/RocketNetworkFees.sol b/contracts/contract/network/RocketNetworkFees.sol
index d2172d17a..18fbd4db7 100644
--- a/contracts/contract/network/RocketNetworkFees.sol
+++ b/contracts/contract/network/RocketNetworkFees.sol
@@ -69,7 +69,9 @@ contract RocketNetworkFees is RocketBase, RocketNetworkFeesInterface {
             return minFee;
         }
         // Get fee interpolation factor
-        uint256 t = nNodeDemand.div(demandDivisor) ** 3;
+        uint256 base = nNodeDemand.div(demandDivisor);
+        uint256 t = base * base * base;
+        require(t / base / base == base, "Fee calculation overflow");
         // Interpolate between min / target / max fee
         if (nNodeDemandSign) { return targetFee.add(maxFee.sub(targetFee).mul(t).div(calcBase)); }
         return minFee.add(targetFee.sub(minFee).mul(calcBase.sub(t)).div(calcBase));