Submission Details
Severity:
Incorrect return value for `TSwapPool::getInputAmountBasedOnOutput` resulting user has to pay 10x more than what they should be paying
Summary
Wrong calculation in TSwapPool::getInputAmountBasedOnOutput causes the return value much larger than the actual value, resulting user is overly charged by 10 fold
Vulnerability Details
The return value calculation in TSwapPool::getInputAmountBasedOnOutput was wrongly multiplied with 10_000 , which in fact it should be multiplied as 1_000
Impact
User is overly charged by 10 fold due to the wrong multiplication value of 10_000 instead of 1_000
Tools Used
Manual review
Recommendations
Make correction to the function TSwapPool::getInputAmountBasedOnOutput as follows:
function getInputAmountBasedOnOutput(
uint256 outputAmount,
uint256 inputReserves,
uint256 outputReserves
)
public
pure
revertIfZero(outputAmount)
revertIfZero(outputReserves)
returns (uint256 inputAmount)
{
return
- ((inputReserves * outputAmount) * 10000) /
+ ((inputReserves * outputAmount) * 1000) /
((outputReserves - outputAmount) * 997);
}
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
Incorrect fee calculation in TSwapPool::getInputAmountBasedOnOutput causes protocol to take too many tokens from users, resulting in lost fees
Rewards breakdown
nSLOC
276This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.