Submission Details
Severity:
Possible dos because of the extra incentive
Summary
swap may be blocked because of the extra incentive.
Vulnerability Details
In _swap(), the protocol will give one extra token as an extra incentive. The vulnerability is that the swap may be reverted if the pool liquidity is not enough to transfer 1_000_000_000_000_000_000 outputToken.
function _swap(
IERC20 inputToken,
uint256 inputAmount,
IERC20 outputToken,
uint256 outputAmount
) private {
if (
_isUnknown(inputToken) ||
_isUnknown(outputToken) ||
inputToken == outputToken
) {
revert TSwapPool__InvalidToken();
}
swap_count++;
// @audit drain the pool
// @audit dos
if (swap_count >= SWAP_COUNT_MAX) {
swap_count = 0;
outputToken.safeTransfer(msg.sender, 1_000_000_000_000_000_000);
}
inputToken.safeTransferFrom(msg.sender, address(this), inputAmount);
outputToken.safeTransfer(msg.sender, outputAmount);
}
Impact
If the pool's liquidity is not large enough, swap operations will be blocked.
Tools Used
Manual
Recommendations
Revisit the incentive mechanism, maybe create one T-SWAP token, and mint some for the traders.
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
In `TSwapPool::_swap` the extra tokens given to users after every swapCount breaks the protocol invariant of x * y = k
Rewards breakdown
nSLOC
276This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.