Open code423n4 opened 2 years ago
0xRajeev
The _updateReserves() function in HybridPool uses a strict bound of ‘<‘ against type(uint128).max while updating the reserves. This is off-by-one strict bound because this technically can be '<=' without overflowing as done in ConstantProduct Pool.
https://github.com/sushiswap/trident/blob/6bd4c053b6213ffc612987eb565aa3813d5f0d13/contracts/pool/HybridPool.sol#L279
https://github.com/sushiswap/trident/blob/6bd4c053b6213ffc612987eb565aa3813d5f0d13/contracts/pool/ConstantProductPool.sol#L271
Manual Analysis
Change ‘<‘ to ‘<=‘
Can't find a duplicate, @maxsam4?
Handle
0xRajeev
Vulnerability details
Impact
The _updateReserves() function in HybridPool uses a strict bound of ‘<‘ against type(uint128).max while updating the reserves. This is off-by-one strict bound because this technically can be '<=' without overflowing as done in ConstantProduct Pool.
Proof of Concept
https://github.com/sushiswap/trident/blob/6bd4c053b6213ffc612987eb565aa3813d5f0d13/contracts/pool/HybridPool.sol#L279
https://github.com/sushiswap/trident/blob/6bd4c053b6213ffc612987eb565aa3813d5f0d13/contracts/pool/ConstantProductPool.sol#L271
Tools Used
Manual Analysis
Recommended Mitigation Steps
Change ‘<‘ to ‘<=‘