First Flight #18: T-Swap

First Flight #18

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`TSwapPool::sellPoolTokens` calls `swapExactOutput` function instead of `swapExactInput` resulting in incorrect token deduction.

4lifemen

Summary

The sellPoolTokens function in the TSwapPool contract uses the swapExactOutput function instead of the swapExactInput function.

Vulnerability Details

The sellPoolTokens function is intended to allow users to sell a specified amount of pool tokens and receive the corresponding amount of WETH in return. However, the function calls swapExactOutput instead of swapExactInput. This results in the calculation of the required input amount (pool tokens) based on the desired output amount (WETH), which can lead to an incorrect amount of pool tokens being deducted from the user.

function sellPoolTokens(uint256 poolTokenAmount) external returns (uint256 wethAmount) {

return swapExactOutput(i_poolToken, i_wethToken, poolTokenAmount, uint64(block.timestamp));

}

Proof of Concept

Add this test in the TSwapPool.t.sol

function testSellPoolTokens() public {

// 1 weth to 2 pt

vm.startPrank(liquidityProvider);

weth.approve(address(pool), type(uint256).max);

poolToken.approve(address(pool), type(uint256).max);

pool.deposit(100e18, 100e18, 200e18, uint64(block.timestamp));

vm.stopPrank();

vm.startPrank(user);

weth.approve(address(pool), type(uint256).max);

poolToken.approve(address(pool), type(uint256).max);

uint256 amountToSell = 1e17;

// User current poolToken balance

uint256 initialPoolToken = poolToken.balanceOf(user);

// User sell pool token

pool.sellPoolTokens(amountToSell);

vm.stopPrank();

// User pool token balance after swap

uint256 finalPoolTokenBalance = poolToken.balanceOf(user);

uint256 actualPoolTokenDeducted = initialPoolToken - finalPoolTokenBalance;

// Incorrect pool token deducted from user

assert(actualPoolTokenDeducted > amountToSell);

}

Impact

When users attempt to sell a specific amount of pool tokens, the amount deducted from their balance is not what they expected. This discrepancy can lead to users selling more tokens than intended, undermining trust in the protocol's functionality.

Tools Used

Manual review

Recommendations

Replace the swapExactOutput function with swapExactInput function.
Add additional param minOutputAmount

+ function sellPoolTokens(uint256 poolTokenAmount, minOutputAmount) external returns (uint256 wethAmount) {

+ return swapExactInput(i_poolToken, poolTokenAmount, i_wethToken, minOutputAmount, uint64(block.timestamp));

- return swapExactOutput(i_poolToken, i_wethToken, poolTokenAmount, uint64(block.timestamp));

}

Updates

Appeal created

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

`sellPoolTokens` mismatches input and output tokens causing users to receive the incorrect amount of tokens

Rewards breakdown

nSLOC

276

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.