First Flight #18: T-Swap
First Flight #18
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Donation attack is possible due to direct access to `balances`.

0x1912

Summary

To get reserves in the pool, the Pool contract uses direct access mechanism instead of internal accounting.

Vulnerability Details

To get reserves in the pool, the Pool contract uses direct access mechanism instead of internal accounting.
For example, in the getPoolTokensToDepositBasedOnWeth function

function getPoolTokensToDepositBasedOnWeth(
uint256 wethToDeposit
) public view returns (uint256) {
uint256 poolTokenReserves = i_poolToken.balanceOf(address(this));
uint256 wethReserves = i_wethToken.balanceOf(address(this));
return (wethToDeposit * poolTokenReserves) / wethReserves;
}

Malicious actor can directly send weth, or pool token to the contract address to manipulate price because price determines based on reserved amounts of two tokens.

Impact

Malicious actor can steal users' funds or Protocol's revenue by manipulating price using donation attack.

Tools Used

Manual review

Recommendations

Recommend using internal accounting in the Pool contract.
Like uniswap, create reserve storage slots for weth, and pool token, and update those for each deposit and withdraw transaction.

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago

Appeal created

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.