TSwapPool::sellPoolTokens mismatches input and output tokens causing users to receive the incorrect amount of tokens
Summary:
The sellPoolTokens function is intended to allow users to easily sell pool tokens and receive WETH in exchange. Users indicate how many pool tokens they’re willing to sell in the poolTokenAmount parameter. However, the function currently miscalculaes the swapped amount.This is due to the fact that the swapExactOutput function is called, whereas the swapExactInput function is the one that should be called. Because users specify the exact amount of input tokens, not output.
Vulnerability Details
Impact:
Users will swap the wrong amount of tokens, which is a severe disruption of protocol functionality.
Tools Used
Recommendations:
Consider changing the implementation to use swapExactInput instead of swapExactOutput. Note that this would also require changing the sellPoolTokens function to accept a new parameter(ie minWethToReceive to be passed to swapExactInput)
function sellPoolTokens(
uint256 poolTokenAmount
+ uint256 minWethToReceive,
) external returns (uint256 wethAmount) {
- return
swapExactOutput(
i_poolToken,
i_wethToken,
poolTokenAmount,
uint64(block.timestamp)
);
+ return
swapExactInput(i_poolToken, poolTokenAmount, i_wethToken, minWethToReceive,
uint64(block.timestamp));
}
Additionally, it might be wise to add a deadline to the function, as there is currently no deadline. (MEV later)
Appeal created
`sellPoolTokens` mismatches input and output tokens causing users to receive the incorrect amount of tokens
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.