SSSwap

First Flight #41

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

No Input Validation for Token Decimals in the `liquidity_operations::initialize_pool` function

mishraji874

Description: The AMM doesn't validate token decimals, potentially allowing incompatible tokens or tokens with extreme decimal values. The AMM doesn't validate the decimal places of tokens when creating a new pool. This could allow the creation of pools with tokens that have extreme decimal values (e.g., 0 or >18) or incompatible decimal combinations, leading to calculation issues.

Impact:

Pools with tokens having extreme decimal values could experience calculation errors
Incompatible decimal combinations could lead to unfair pricing
Potential for precision loss in calculations

Proof of Concept: A user could create a pool with a custom token having 0 decimals and another with 30 decimals:

// In initialize_pool, no validation of token_mint_a.decimals or token_mint_b.decimals

// This allows creation of pools with any decimal combination

Recommended Mitigation: Add decimal validation in the initialize_pool function:

pub fn initialize_pool(context: Context<InitializePool>, amount_token_a: u64, amount_token_b: u64) -> Result<()> {

// Existing validation...

// Validate token decimals

let decimals_a = context.accounts.token_mint_a.decimals;

let decimals_b = context.accounts.token_mint_b.decimals;

// Ensure decimals are within reasonable range

require!(decimals_a > 0 && decimals_a <= 18, AmmError::InvalidTokenDecimals);

require!(decimals_b > 0 && decimals_b <= 18, AmmError::InvalidTokenDecimals);

// Optionally, limit decimal difference to prevent extreme imbalances

let decimal_diff = if decimals_a > decimals_b {

decimals_a - decimals_b

} else {

decimals_b - decimals_a

};

require!(decimal_diff <= 12, AmmError::IncompatibleTokenDecimals);

// Rest of the function...

}

Updates

Lead Judging Commences

0xtimefliez Lead Judge 13 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Protocol is incompatible with differenct decimals

Rewards breakdown

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.