search

code-423n4 / 2022-04-badger-citadel-findings

0 stars 1 forks source link

`deposit()`ing when there is no discount results in zero xCitadel bought #173

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/Funding.sol#L202-L216

Vulnerability details

The amount of citadel bought when there is no discount is always zero. If the user doesn't specify, or specifies zero as the _minCitadelOut, then the user will get no xCitadel and will still have to pay the full price.

Proof of Concept

If funding.discount is equal to zero, citadelAmount_ will remain at the uninitialized value of zero rather than the correct value of citadelAmountWithoutDiscount

File: src/Funding.sol (lines 202-216)

    function getAmountOut(uint256 _assetAmountIn)
        public
        view
        returns (uint256 citadelAmount_)
    {
        uint256 citadelAmountWithoutDiscount = _assetAmountIn * citadelPriceInAsset;

        if (funding.discount > 0) {
            citadelAmount_ =
                (citadelAmountWithoutDiscount * MAX_BPS) /
                (MAX_BPS - funding.discount);
        }

        citadelAmount_ = citadelAmount_ / assetDecimalsNormalizationValue;
    }

Tools Used

Code inspection

Recommended Mitigation Steps

Initialize citadelAmount_ to citadelAmountWithoutDiscount

GalloDaSballo commented 2 years ago

Agree

jack-the-pug commented 2 years ago

Dup #149