First Flight #18: T-Swap

Summary

TSWAP protocol relies on maintaining a constant product invariant for its liquidity pools. The invariant formula, x⋅y=k, where 𝑥 and 𝑦 are the reserves of two tokens in the pool, ensures balanced trading and liquidity provision. Rebasing tokens, which automatically adjust their supply by increasing or decreasing balances proportionally across all holders, can disrupt this invariant, leading to potential issues within the protocol.

Vulnerability Details

Rebasing tokens change their supply periodically based on certain conditions or triggers, affecting all balances proportionally. This means that the number of tokens held by any address, including the TSWAP pool, can change without any transfer event. When such tokens are used within TSWAP pools, the constant product invariant 𝑥⋅𝑦=𝑘 no longer holds due to the sudden and unaccounted changes in token reserves.

For example, if a rebasing event increases the supply of a token by 10%, the reserve balance in the TSWAP pool will also increase by 10% without any corresponding trade or liquidity provision event. This discrepancy breaks the TSWAP invariant, causing the liquidity pool to miscalculate reserves and leading to imbalanced pools.

Impact

Incorrect Pricing: The pool will miscalculate token prices due to incorrect reserve balances, leading to potentially unfair trades and arbitrage opportunities.

Liquidity Provider Losses: Liquidity providers might incur unexpected losses as their share of the pool's value can decrease due to the miscalculation.

Proof of Concept (PoC):

1. Deploy a rebasing token contract.

2. Create a TSWAP liquidity pool with this token and another standard token.

3. Perform a rebasing event that adjusts the token supply.

4. Observe the incorrect pricing and reserve imbalance in the pool due to the rebasing event.

Tools Used

Manual Review

Recommendations

Token Compatibility Check: Ensure that tokens added to TSWAP pools do not implement rebasing mechanisms.