Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing zero-amount validation in fee calculations in StabilityBranch.sol::getFeesForAssetsAmountOut

shrxyeh

Summary

The functions getFeesForAssetsAmountOut and getFeesForUsdTokenAmountIn perform fee calculations without checking that their input amounts are non-zero. While other parts of the system may implicitly catch zero-value scenarios, lacking explicit validation can lead to ambiguous or unexpected arithmetic outcomes, potentially causing issues in extreme edge cases.

Vulnerability Details

In the following function, there is no validation to ensure that the input amounts (or related parameters such as the price) are non-zero:

function getFeesForAssetsAmountOut(

UD60x18 assetsAmountOutX18,

UD60x18 priceX18

) public view returns (UD60x18 baseFeeX18, UD60x18 swapFeeX18) {

// load swap data

UsdTokenSwapConfig.Data storage tokenSwapData =

UsdTokenSwapConfig.load();

// convert the base fee in usd to the asset amount to be charged

baseFeeX18 = ud60x18(tokenSwapData.baseFeeUsd).div(priceX18);

// calculates the swap fee portion rounding up

swapFeeX18 = Math.divUp(

assetsAmountOutX18.mul(ud60x18(tokenSwapData.swapSettlementFeeBps)),

ud60x18Convert(Constants.BPS_DENOMINATOR));

}

Impact

Ambiguous Fee Calculations: Zero-value inputs could lead to undefined or unintended arithmetic behavior, such as divisions by zero or affecting fee rounding.
Edge-Case Vulnerabilities: Although not directly exploitable, missing validation opens the door for potential issues or future vulnerabilities if the fee calculation logic is altered.
Non-adherence to Best Practices: Financial calculations should always validate critical inputs to ensure clarity and strict adherence to intended constraints.

Tools Used

Manual Code Review: A thorough review of fee functions revealed the lack of input validations.
Static Analysis Tools: Tools flagged missing input checks within arithmetic operations.
Fuzz Testing: Fuzzing with zero-value inputs confirmed the need for explicit validations.

Recommendations

Implement Explicit Zero-Value Checks: Update the functions to require that input amounts and prices are non-zero. For example:

require(assetsAmountOutX18 != UD60x18_ZERO, "Zero asset output not allowed");
require(priceX18 != UD60x18_ZERO, "Zero price not allowed");
Consistent Validation Across Functions: Apply similar zero-value checks in getFeesForUsdTokenAmountIn and other related fee modules.
Update Documentation: Clearly document that the input parameters must be non-zero, outlining the expected requirements for proper fee calculation.
Thorough Testing: Add unit tests to ensure that the contract reverts when zero values are provided, thereby safeguarding against unexpected behavior.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!