When Swap's constructor sets the initial swapFee to the value of the argument swapFee, it doesn't check that this value is smaller than SWAP_FEE_DIVISOR.
Impact
If swapFee equals SWAP_FEE_DIVISOR, then the system charges 100% fees so users have no reason to use it. If swapFee is greater than SWAP_FEE_DIVISOR, then the swaps won't work at all. Instead, they will always revert due to an underflow on SWAP_FEE_DIVISOR.sub(swapFee).
Tool Used
Manual code review.
Recommended Mitigation Steps
Require swapFee_ < SWAP_FEE_DIVISOR in Swap's constructor.
Shadowfiend
commented
2 years ago
Handle
pants
Vulnerability details
When
Swap's constructor sets the initialswapFeeto the value of the argumentswapFee, it doesn't check that this value is smaller thanSWAP_FEE_DIVISOR.Impact
If
swapFeeequalsSWAP_FEE_DIVISOR, then the system charges 100% fees so users have no reason to use it. IfswapFeeis greater thanSWAP_FEE_DIVISOR, then the swaps won't work at all. Instead, they will always revert due to an underflow onSWAP_FEE_DIVISOR.sub(swapFee).Tool Used
Manual code review.
Recommended Mitigation Steps
Require
swapFee_ < SWAP_FEE_DIVISORinSwap's constructor.