Submission Details
Severity:
Wrong fee calculation in TSwapPool::getInputAmountBasedOnOutput leeds to users being overcharged
Description
The user should be charged a 0.3% fee that goes to the LPs but in TSwapPool::getInputAmountBasedOnOutput the multiplier is 10'000 instead of 1'000 which leads to the user being overcharged 10x more.
Impact
This finding breaks the logic of the contract and makes it not work as intended. The user has to pay a significant amount more in fees.
Proof of Concepts
Proof Of Code
Place the following into TSwapPool.t.sol.
function testGetInputAmountBasedOnOutput() public {
uint256 outputAmount = 10;
uint256 inputReserves = 100;
uint256 outputReserves = 100;
// Calculate expected input amount with 0.3% fee
uint256 expectedInputAmount = ((inputReserves * outputAmount) * 1000) / ((outputReserves - outputAmount) * 997);
uint256 inputAmount = pool.getInputAmountBasedOnOutput(outputAmount, inputReserves, outputReserves);
assertEq(inputAmount, expectedInputAmount);
}
Recommended mitigation
Correct the multiplier in getInputAmountBasedOnOutput.
function getInputAmountBasedOnOutput(
uint256 outputAmount,
uint256 inputReserves,
uint256 outputReserves
)
public
pure
revertIfZero(outputAmount)
revertIfZero(outputReserves)
returns (uint256 inputAmount)
{
- return ((inputReserves * outputAmount) * 10_000) / ((outputReserves - outputAmount) * 997);
+ return ((inputReserves * outputAmount) * 1_000) / ((outputReserves - outputAmount) * 997);
}
Updates
Appeal created
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Incorrect fee calculation in TSwapPool::getInputAmountBasedOnOutput causes protocol to take too many tokens from users, resulting in lost fees
Rewards breakdown
nSLOC
276This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.