First Flight #18: T-Swap

First Flight #18

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Incorrect calculation for getPriceOfOnePoolTokenInWeth

jennifersun

Summary

The returned price from getPriceOfOnePoolTokenInWeth() may be wrong.

Vulnerability Details

In getPriceOfOnePoolTokenInWeth(), we will calculate one pool token's price.
Here, we make one assumption that the pool token's decimal is 18. However, sometimes the token's decimal is not 18, this will return one wrong pool token price.

function getPriceOfOnePoolTokenInWeth() external view returns (uint256) {

return

// @audit [M] pool token's decimal may not be 18, return wrong price, if there are some dapp integrate with this tswap,

getOutputAmountBasedOnInput(

1e18,

i_poolToken.balanceOf(address(this)),

i_wethToken.balanceOf(address(this))

);

}

Impact

If someone wants the pool token's price as the reference or some other dapps want to intergate with T-Swap, they may get the wrong price.

Tools Used

Manual

Recommendations

Take pool tokens' decimal into the consideration.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Hardcoded decimal value leads to incorrect conversion when ERC20 does not use 18 decimals.

Rewards breakdown

nSLOC

276

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.