Submission Details
Severity:
`TSwapPool:: getInputAmountBasedOnOutput` has wrong fee calculation logic, leads to deduct too much tokens from the users resulting loss of fees
Summary
Miscalculation of amounts leads to user paying more and loss of fees for protocol.
Vulnerability Details
getInputAmountBasedOnInput function is used to calculate the amount of tokens that a users must deposit to get amount of output tokens.
function getInputAmountBasedOnOutput(
uint256 outputAmount,
uint256 inputReserves,
uint256 outputReserves
)
public
pure
revertIfZero(outputAmount)
revertIfZero(outputReserves)
returns (uint256 inputAmount)
{
return
@> ((inputReserves * outputAmount) * 10000) /
((outputReserves - outputAmount) * 997);
}
But if you check the highlight code, it scales the amount by 10000 rather 1000.
This mismatch will cost users spending much more tokens while protocol getting 1/10th fees than expected.
Impact
Users spending more funds than expected and loss of fees for the protocol
Tools Used
Manual Review
Recommendations
Update the affect function as shown below:
function getInputAmountBasedOnOutput(
uint256 outputAmount,
uint256 inputReserves,
uint256 outputReserves
)
public
pure
revertIfZero(outputAmount)
revertIfZero(outputReserves)
returns (uint256 inputAmount)
{
- return ((inputReserves * outputAmount) * 10_000) / ((outputReserves - outputAmount) * 997);
+ return ((inputReserves * outputAmount) * 1_000) / ((outputReserves - outputAmount) * 997);
}
Updates
Appeal created
inallhonesty 12 months ago
Submission Judgement Published Assigned finding tags:
Incorrect fee calculation in TSwapPool::getInputAmountBasedOnOutput causes protocol to take too many tokens from users, resulting in lost fees
Rewards breakdown
nSLOC
276This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.