First Flight #18: T-Swap

First Flight #18

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Oracle and Price Manipulation

0x1912

Summary

The contract doesn't use oracles to obtain accurate price information, making it vulnerable to price manipulation attacks.

Vulnerability Details

This is known issue in Uniswap V1

function getOutputAmountBasedOnInput(

uint256 inputAmount,

uint256 inputReserves,

uint256 outputReserves

)

public

pure

revertIfZero(inputAmount)

revertIfZero(outputReserves)

returns (uint256 outputAmount)

{

// x * y = k

// numberOfWeth * numberOfPoolTokens = constant k

// k must not change during a transaction (invariant)

// with this math, we want to figure out how many PoolTokens to deposit

// since weth * poolTokens = k, we can rearrange to get:

// (currentWeth + wethToDeposit) * (currentPoolTokens + poolTokensToDeposit) = k

// **************************

// ****** MATH TIME!!! ******

// **************************

// FOIL it (or ChatGPT): https://en.wikipedia.org/wiki/FOIL_method

// (totalWethOfPool * totalPoolTokensOfPool) + (totalWethOfPool * poolTokensToDeposit) + (wethToDeposit *

// totalPoolTokensOfPool) + (wethToDeposit * poolTokensToDeposit) = k

// (totalWethOfPool * totalPoolTokensOfPool) + (wethToDeposit * totalPoolTokensOfPool) = k - (totalWethOfPool *

// poolTokensToDeposit) - (wethToDeposit * poolTokensToDeposit)

uint256 inputAmountMinusFee = inputAmount * 997;

@> uint256 numerator = inputAmountMinusFee * outputReserves;

@> uint256 denominator = (inputReserves * 1000) + inputAmountMinusFee;

@> return numerator / denominator;

}

function getInputAmountBasedOnOutput(

uint256 outputAmount,

uint256 inputReserves,

uint256 outputReserves

)

public

pure

revertIfZero(outputAmount)

revertIfZero(outputReserves)

returns (uint256 inputAmount)

{

return

@> ((inputReserves * outputAmount) * 10000) /

@> ((outputReserves - outputAmount) * 997);

}

In above code, very large inputAmount/outputAmount in getOutputAmountBasedOnInput/getInputAmountBasedOnOutput function causes significant difference in price(exchange rate).

Impact

Malicious actors could exploit this by artificially inflating or deflating prices during token swaps.

Tools Used

Manual review

Recommendations

Updates

Appeal created

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

276

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.