SamusElderg
commented
3 years ago This was a design decision; We will only generate dividends from swaps via the router.
Closed code423n4 closed 3 years ago
SamusElderg
commented
3 years ago This was a design decision; We will only generate dividends from swaps via the router.
ghoul-sol
commented
3 years ago per sponsor comment, invalid
Handle
shw
Vulnerability details
Impact
The
Poolcalculates swap fees whenever there is a swap between the SPARTA and the TOKEN or synths. TheRouteruses this fee value to decide the amount of dividend transferred from theReserveto thePool. However, if a user performs the swap by directly calling the functions of pools, the router would not notice the swap fees, thus causing the liquidity providers to get fewer dividends.Proof of Concept
Referenced code: Pool.sol#L207 Pool.sol#L225 Pool.sol#L241 Pool.sol#L256 Router.sol#L150 Router.sol#L158 Router.sol#L181 Router.sol#L240 Router.sol#L264
Recommended Mitigation Steps
Only allow the router to call the pool's swap functions to ensure that the swap fees are accounted for dividends.