Submission Details
Severity:
Wrong multiplier is used in `getInputAmountBasedOnOutput` function.
Summary
getInputAmountBasedOnOutput uses incorrect multiplier, resulting in incorrect calculation.
Vulnerability Details
getInputAmountBasedOnOutput calculates input amount from output amount using wrong multiplier.
function getInputAmountBasedOnOutput(
uint256 outputAmount,
uint256 inputReserves,
uint256 outputReserves
)
public
pure
revertIfZero(outputAmount)
revertIfZero(outputReserves)
returns (uint256 inputAmount)
{
return
@> ((inputReserves * outputAmount) * 10000) /
((outputReserves - outputAmount) * 997);
}
As you can see in above code, it uses 10000 as multiplier, but it should be 1000 (based on Uniswap Math).
Impact
Since the user has to transfer 10 times the amount of input tokens than expected, this kind of transaction will have a huge impact on the pool operation, eventually causing the pool to stop functioning and users losing their funds.
Tools Used
Manual review
Recommendations
Use correct multiplier.
function getInputAmountBasedOnOutput(
uint256 outputAmount,
uint256 inputReserves,
uint256 outputReserves
)
public
pure
revertIfZero(outputAmount)
revertIfZero(outputReserves)
returns (uint256 inputAmount)
{
return
-- ((inputReserves * outputAmount) * 10000) /
++ ((inputReserves * outputAmount) * 1000) /
((outputReserves - outputAmount) * 997);
}
Updates
Appeal created
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Incorrect fee calculation in TSwapPool::getInputAmountBasedOnOutput causes protocol to take too many tokens from users, resulting in lost fees
Rewards breakdown
nSLOC
276This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.