0xean
commented
2 years ago Not sure if we will fix this as we have really good error messaging in our SDK and front end, but agree the error messages could be improved.
Open code423n4 opened 2 years ago
0xean
commented
2 years ago Not sure if we will fix this as we have really good error messaging in our SDK and front end, but agree the error messages could be improved.
GalloDaSballo
commented
2 years ago I believe the finding to be valid, because it's at the informational level (error messages), I think non-critical to be more appropriate
Handle
hyh
Vulnerability details
Impact
Whenever swaps are being run with token amounts too big the system fails with low level not enough amount message from the requested ERC20 token transfer.
Proof of Concept
Both swap functions do not check the amount to be returned:
quoteTokenQty calculated isn't checked to be achievable:
https://github.com/code-423n4/2022-01-elasticswap/blob/main/elasticswap/src/contracts/Exchange.sol#L285
baseTokenQty calculated isn't checked to be achievable:
https://github.com/code-423n4/2022-01-elasticswap/blob/main/elasticswap/src/contracts/Exchange.sol#L323
Recommended Mitigation Steps
Check the amounts to be returned from the quote-to-base and base-to-quote swaps to be lower than current base and quote balance.