In TempusAMM constructor L138, the scaling factor 0 always maps to yieldShare, and scaling factor 1 always maps to principalShare, even though in L134 the two token might swap if principalShare < yieldShare, which makes _token0 = principalShare and _token1 = yieldShare, but scaling factor 0 is based on yieldShare.
Later _scalingFactor is based on _token0, so it might get the wrong scaling factor if principalShare and yieldShare had swapped.
While this works with Tempus Principals and Tempus Yields (have the same scaling factor), AMM was made to be able to be reused for some other tokens with similar correlation, so this must be fixed.
Handle
chenyu
Vulnerability details
Impact
In TempusAMM constructor L138, the scaling factor 0 always maps to yieldShare, and scaling factor 1 always maps to principalShare, even though in L134 the two token might swap if principalShare < yieldShare, which makes _token0 = principalShare and _token1 = yieldShare, but scaling factor 0 is based on yieldShare.
Later _scalingFactor is based on _token0, so it might get the wrong scaling factor if principalShare and yieldShare had swapped.
Recommended Mitigation Steps
Update the lines to