Incorrect calculation of ``minimumAmountOut`` for swapping.
Summary
The minimumAmountOut calculated for swap is incorrect.
Vulnerability Details
The minimumAmountOut value is used as slippage value for the swap. In the swap() of SmartVaultV3.sol, calculateMinimumAmountOut() is used to calculate minimumAmountOut.
The issue lies in the amount sent calculateMinimumAmountOut() to calculate minimumAmountOut.
swapFee is needed to be paid on total swap amount for every swap. The swap fee is taken from inToken in case of ERC20 swap and native eth in case of native swap.
The amount sent for the swap is calculated as:
amountIn = _amount - swapFee which can be seen here.
Thus, the minimumAmountOut value should also be calculated by totalAmount - swapFee as above.
But, minimumAmountOut value is calculated without subtracting the swapFee.
Impact
Inside the calculateMinimumAmountOut(), collateralValueMinusSwapValue is calculated as:
When incorrect _amount value is provided, wrong amount of minimumAmountOut value is returned. In this case, collateralValueMinusSwapValue will be inflated and minimumAmountOut returned will be less than it is. Meaning, Through swapping, user can get another asset amount more bypassing his/her collateralization threshold.
This may even cause swap to fail.
Tools Used
Manual Analysis
Recommendations
In the swap(), modify:
To this:
Lead Judging Commences
swapfee-incorrect-calc
swapfee-incorrect-calc
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.