The registerTradeAndBorrow is called with the results of a trade (inAmount, outAmount). It first tries to pay back any debt with the outAmount.
However, the fulloutAmount is credited to the user again as a deposit in the adjustAmounts(account, tokenFrom, tokenTo, sellAmount, outAmount); call.
Impact
As the user pays back their debt and is credited the same amount again, they are essentially credited twice the outAmount, making a profit of one outAmount.
This can be withdrawn and the process can be repeated until the funds are empty.
Recommended mitigation steps
In the adjustAmounts call, it should only credit outAmount - extinguishableDebt as a deposit like in registerDeposit.
The registerDeposit function correctly handles this case.
Email address
mail@cmichel.io
Handle
@cmichelio
Eth address
0x6823636c2462cfdcD8d33fE53fBCD0EdbE2752ad
Vulnerability details
The
registerTradeAndBorrowis called with the results of a trade (inAmount,outAmount). It first tries to pay back any debt with theoutAmount. However, the fulloutAmountis credited to the user again as a deposit in theadjustAmounts(account, tokenFrom, tokenTo, sellAmount, outAmount);call.Impact
As the user pays back their debt and is credited the same amount again, they are essentially credited twice the
outAmount, making a profit of oneoutAmount. This can be withdrawn and the process can be repeated until the funds are empty.Recommended mitigation steps
In the
adjustAmountscall, it should only creditoutAmount - extinguishableDebtas a deposit like inregisterDeposit. TheregisterDepositfunction correctly handles this case.