Submission Details
Severity:
The `TSwapPool.getInputAmountBasedOnOutput` function inaccurately calculates fees from user swaps, leading to losses
Summary
The TSwap protocol is intended to charge a 0.3% fee on swaps by applying a 997/1000 multiplier. However, it is erroneously applying a 997/10_000 multiplier, meaning that the user is paying 10 times what they should be paying. This discrepancy means the protocol is collecting substantially higher fees than designed.
Vulnerability Details
PoC - Copy this test into
TSwapPool.t.sol.
function testShouldReturnTheCorrectInputAmountBasedOnOutputAmount() public {
uint256 outputAmount = 10e18;
uint256 inputReserves = 100e18;
uint256 outputReserves = 100e18;
//According to documentation: 'Each applies a 997 out of 1000 multiplier.'
uint256 expectedInputAmount = ((inputReserves * outputAmount) * 1000) / ((outputReserves - outputAmount) * 997);
uint256 actualInputAmount = pool.getInputAmountBasedOnOutput(outputAmount, inputReserves, outputReserves);
//actualInputAmount is 10 times higher than expectedInputAmount
assertEq(expectedInputAmount, actualInputAmount);
}
Impact
The protocol takes more fees than expected from users, resulting in a significant loss.
Tools Used
Manual review
Recommendations
Change from
10000to1_000.
function getInputAmountBasedOnOutput(
uint256 outputAmount,
uint256 inputReserves,
uint256 outputReserves
)
public
pure
revertIfZero(outputAmount)
revertIfZero(outputReserves)
returns (uint256 inputAmount)
{
- return ((inputReserves * outputAmount) * 10000) / ((outputReserves - outputAmount) * 997);
+ return ((inputReserves * outputAmount) * 1_000) / ((outputReserves - outputAmount) * 997);
}
Updates
Appeal created
inallhonesty 12 months ago
Submission Judgement Published Assigned finding tags:
Incorrect fee calculation in TSwapPool::getInputAmountBasedOnOutput causes protocol to take too many tokens from users, resulting in lost fees
Rewards breakdown
nSLOC
276This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.