Submission Details
Severity:
Protocol drained because of the extra incentive
Summary
The protocol will be drained because of the extra incentive.
Vulnerability Details
In _swap() function, some extra tokens will be transferred to msg.sender as the incentive. The vulnerability is that the hacker can do multiple swap operations in one transaction to get the reward extra tokens. Hackers can repeat this operation to drain the whole protocol.
function _swap(
IERC20 inputToken,
uint256 inputAmount,
IERC20 outputToken,
uint256 outputAmount
) private {
if (
_isUnknown(inputToken) ||
_isUnknown(outputToken) ||
inputToken == outputToken
) {
revert TSwapPool__InvalidToken();
}
swap_count++;
// @audit drain the pool
// @audit dos
if (swap_count >= SWAP_COUNT_MAX) {
swap_count = 0;
outputToken.safeTransfer(msg.sender, 1_000_000_000_000_000_000);
}
}
Impact
The protocol will be drained.
Tools Used
Manual
Recommendations
Revisit the incentive mechanism, maybe create T-SWAP token, and use this token as the extra incentive.
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
In `TSwapPool::_swap` the extra tokens given to users after every swapCount breaks the protocol invariant of x * y = k
Rewards breakdown
nSLOC
276This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.