`TSwapPool::getInputAmountBasedOnOutput()` calculates pool fee as a wrong value, thereby taking more tokens than intended from caller
Summary
TSwapPool::swapExactOutput calls TSwapPool::getInputAmountBasedOnOutput to get input amount to supply based on output amount expected, but the function getInputAmountBasedOnOutput calculate fee with an error. The actual fee expected by the protocol is 0.3% of the swap amount requested. But, this function is calculating fee as 90.3% of the swap thereby taking away more amount than user expects.
Vulnerability Details
function testswapExactOutputIsWrong() public {
vm.startPrank(liquidityProvider);
weth.approve(address(pool), 100e18);
poolToken.approve(address(pool), 100e18);
pool.deposit(100e18, 100e18, 100e18, uint64(block.timestamp));
vm.stopPrank();
address user1 = makeAddr("user1");
poolToken.mint(user1, 100e18);
vm.startPrank(user1);
poolToken.approve(address(pool), 100e18);
// what is 0.3% of 1e18 = 3e15
// so, we need to pay tokenA of 1e18 + 3e15 = 1.003e18 in exchange of 1 weth
// user1 starts with balance of 100e18. so, after swap, user balance must be -
// 100e18 - 1.003e18 = 98.997e18
pool.swapExactOutput(poolToken, weth, 1e18, uint64(block.timestamp));
// so expected is - 98.997e18, lets see what we got -
console.log(poolToken.balanceOf(user1));
// user1 must have greater than 98e18 atleast, but he has less than that -
assertFalse(poolToken.balanceOf(user1) > 98e18);
}
Impact
user loses 90% more tokens as fee than what protocol says i.e., 0.3% thereby user lose of funds for user.
Tools Used
Foundry
Recommendations
Make below code changes in TSwapPool.sol
Appeal created
Incorrect fee calculation in TSwapPool::getInputAmountBasedOnOutput causes protocol to take too many tokens from users, resulting in lost fees
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.