Description: The swapExactInput
function is expected to return the actual amount of token bought by the caller. However, while is declares the named return value output
it is never assigned a value, nor uses an explicit return statement
Impact: The return value will always be 0, giving incorrect information to the caller.
Proof of Concept:
function testSwapExactInput() public {
vm.startPrank(liquidityProvider);
weth.approve(address(pool), 100e18);
poolToken.approve(address(pool), 100e18);
pool.deposit(100e18, 100e18, 100e18, uint64(block.timestamp));
vm.stopPrank();
vm.startPrank(user);
uint256 expected = 9e18;
poolToken.approve(address(pool), 10e18);
uint256 output = pool.swapExactInput(poolToken, 10e18, weth, expected, uint64(block.timestamp));
vm.stopPrank();
assert(output == 0);
}
Recommended Mitigation:
function swapExactInput(
IERC20 inputToken,
uint256 inputAmount,
IERC20 outputToken,
uint256 minOutputAmount,
uint64 deadline
)
public
revertIfZero(inputAmount)
revertIfDeadlinePassed(deadline)
returns (uint256 output)
{
uint256 inputReserves = inputToken.balanceOf(address(this));
uint256 outputReserves = outputToken.balanceOf(address(this));
- uint256 outputAmount = getOutputAmountBasedOnInput(
+ output = getOutputAmountBasedOnInput
inputAmount,
inputReserves,
outputReserves
);
- if (outputAmount < minOutputAmount) {
+ if (output < minOutputAmount)
- revert TSwapPool__OutputTooLow(outputAmount, minOutputAmount);
+ revert TswapPool__OutputTooLow(output, minOutputAMount);
}
- _swap(inputToken, inputAmount, outputToken, outputAmount);
+ _swap(inputToken, inputAmount, outputToken, output);
}