Submission Details
Severity:
Improper swap in sellPoolTokens
Summary
Improper swap in sellPoolTokens
Vulnerability Details
In function sellPoolTokens(), the expected behavior is that users sell pool tokens to exchange weth tokens. And the parameter is poolTokenAmount. Users expected to sell poolTokenAmount pool token to swap weth. However we use swapExactOutput function, aims to swap out poolTokenAmount weth tokens.
function sellPoolTokens(
uint256 poolTokenAmount
) external returns (uint256 wethAmount) {
return
// @audit , sell pool token to swap weth, should use swapExactInput
swapExactOutput(
i_poolToken,
i_wethToken,
poolTokenAmount,
uint64(block.timestamp)
);
}
function swapExactOutput(
IERC20 inputToken,
IERC20 outputToken,
uint256 outputAmount,
uint64 deadline
)
public
revertIfZero(outputAmount)
revertIfDeadlinePassed(deadline)
returns (uint256 inputAmount)
{
uint256 inputReserves = inputToken.balanceOf(address(this));
uint256 outputReserves = outputToken.balanceOf(address(this));
inputAmount = getInputAmountBasedOnOutput(
outputAmount,
inputReserves,
outputReserves
);
_swap(inputToken, inputAmount, outputToken, outputAmount);
}
Impact
Function sellPoolTokens() may be reverted because of insufficient approval or can be executed but is not users' expectation.
Tools Used
Manual
Recommendations
Should use swapExactInput()
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
`sellPoolTokens` mismatches input and output tokens causing users to receive the incorrect amount of tokens
Rewards breakdown
nSLOC
276This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.