Open code423n4 opened 3 years ago
This is really 2 issues.
o.premium
is always less than filled[hash] (filled[hash] = filled[hash] + a from a previous fill, where the require was true)downgrading both issues to non-critical, the warden suggestion is a better algorithm and should be implemented.
Handle
gpersoon
Vulnerability details
Impact
The contract Swivel.sol contains a few of the following requires: require(a <= (o.premium - filled[hash]), 'taker amount > available volume');
If "o.premium" happens to be smaller than "filled[hash]", a revert will occur at "o.premium - filled[hash]" and no error message will be displayed.
Also note the statements use slightly different syntax with the parentheses.
Proof of Concept
Swivel.sol: require(a <= (o.premium - filled[hash]), 'taker amount > available volume'); Swivel.sol: require((a <= o.principal - filled[hash]), 'taker amount > available volume'); // slightly different syntax Swivel.sol: require(a <= ((o.principal - filled[hash])), 'taker amount > available volume'); // slightly different syntax Swivel.sol: require(a <= (o.premium - filled[hash]), 'taker amount > available volume'); Swivel.sol: require(a <= (o.premium - filled[hash]), 'taker amount > available volume'); Swivel.sol: require(a <= (o.principal - filled[hash]), 'taker amount > available volume'); Swivel.sol: require(a <= (o.principal - filled[hash]), 'taker amount > available volume'); Swivel.sol: require(a <= (o.premium - filled[hash]), 'taker amount > available volume');
Tools Used
Recommended Mitigation Steps
replace require(a <= (o.xxxx - filled[hash]), 'taker amount > available volume');
with require( (a + filled[hash]) <= o.xxxx), 'taker amount > available volume');
Use the same parentheses structure everywhere.