First Flight #18: T-Swap

First Flight #18

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect Fee Calculation in getInputAmountBasedOnOutput Function

10ap17

Summary

The getInputAmountBasedOnOutput function in the TSwap contract incorrectly calculates the input amount required for a given output amount due to an error in the fee calculation. The function scales the amount by 10000 instead of 1000, causing the protocol to take more tokens from users than intended. This results in users paying higher fees than expected.

Vulnerability Details

The getInputAmountBasedOnOutput function is designed to calculate the amount of input tokens required to obtain a specified amount of output tokens. However, the function currently miscalculates the fee, scaling the amount by 10000 instead of the correct scale of 1000. This error leads to the protocol deducting more tokens from users than necessary, resulting in excessive fees being charged. The incorrect calculation is as follows:

return (inputReserves * outputAmount * 10000) / ((outputReserves - outputAmount) * 997);

The correct calculation should scale by 1,000 to accurately compute the fee:

return (inputReserves * outputAmount * 1000) / ((outputReserves - outputAmount) * 997);

As a result, users swapping tokens via the swapExactOutput function will pay significantly more tokens than expected for their trades. This issue is exacerbated when users provide infinite allowance to the TSwapPool contract, as it exposes them to continuous overcharging.

Impact

Financial Loss to Users: Users are charged higher fees than expected, leading to financial losses.
User Trust: Users can lose trust in the TSwapprotocol due to unexpected and excessive fees.
Potential Exploitation: Malicious actors could exploit this flaw to trick users into unfavorable trades, ultimately draining liquidity from the pool.

Tools Used

Manual Code Review

Recommendations

To fix this vulnerability, the fee calculation in the getInputAmountBasedOnOutput function should be corrected to scale by 1000 instead of 10000. The corrected code is as follows:

function getInputAmountBasedOnOutput(

uint256 outputAmount,

uint256 inputReserves,

uint256 outputReserves

)

external

view

returns (uint256 inputAmount)

{

- return ((inputReserves * outputAmount) * 10000) / ((outputReserves - outputAmount) * 997);

+ return (inputReserves * outputAmount * 1000) / ((outputReserves - outputAmount) * 997);

}

This change ensures that the fee calculation is accurate, preventing the protocol from overcharging users.

Updates

Appeal created

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect fee calculation in TSwapPool::getInputAmountBasedOnOutput causes protocol to take too many tokens from users, resulting in lost fees

Rewards breakdown

nSLOC

276

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.