Submission Details
Severity:
Incorrect Fee Scaling in TSwapPool::getInputAmountBasedOnOutput Causes Excessive Token Withdrawals
Summary
The getInputAmountBasedOnOutput function is designed to determine the number of input tokens a user must provide to receive a specified amount of output tokens. However, a critical error in the fee calculation miscalculates the required input.
Vulnerability Details
The function mistakenly scales the fee by 10,000 instead of 1,000 basis points, leading to excessive token deductions and user overcharges.
Impact
Protocol takes more fees than expected from users.
Tools Used
Manual Review
Recommendations
function getInputAmountBasedOnOutput(
uint256 outputAmount,
uint256 inputReserves,
uint256 outputReserves
)
public
pure
revertIfZero(outputAmount)
revertIfZero(outputReserves)
returns (uint256 inputAmount)
{
- return ((inputReserves * outputAmount) * 10000) / ((outputReserves - outputAmount) * 997);
+ return ((inputReserves * outputAmount) * 1000) / ((outputReserves - outputAmount) * 997);
}
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
Incorrect fee calculation in TSwapPool::getInputAmountBasedOnOutput causes protocol to take too many tokens from users, resulting in lost fees
Rewards breakdown
nSLOC
276This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.