First Flight #18: T-Swap
First Flight #18
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

AMM Pool function will be wrong due to extra incentives.

0x1912

Summary

AMM Pool uses constant product formula x * y = k (constant).
However, the pool sends traders additional tokens every 10 swaps. This contradicts the AMM formula.

Vulnerability Details

swapExactInput and swapExactOutput calculates input/output amount based on AMM formula.
However, _swap function sends extra token every 10 swaps, so it breaks the pool's formula.

function _swap(
IERC20 inputToken,
uint256 inputAmount,
IERC20 outputToken,
uint256 outputAmount
) private {
__SNIP__
swap_count++;
if (swap_count >= SWAP_COUNT_MAX) {
swap_count = 0;
outputToken.safeTransfer(msg.sender, 1_000_000_000_000_000_000);
}
__SNIP__
}

Impact

AMM Pool behavior will be incorrect. K constant will be in chaos by traders trends.

Tools Used

Manual review

Recommendations

Use another mechanism for incentives.
For example, Consider sending a portion of pool profits to traders every 10 swaps, so it doesn't impact pool's formula (invariant).

Updates

Appeal created

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

In `TSwapPool::_swap` the extra tokens given to users after every swapCount breaks the protocol invariant of x * y = k

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.