search

code-423n4 / 2022-04-badger-citadel-findings

0 stars 1 forks source link

If the funding discount is set to 0 in Funding.sol, getAmountOut() will return always 0, no matter the amount of asset in. #218

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/Funding.sol#L163 https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/Funding.sol#L177 https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/Funding.sol#L215 https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/Funding.sol#L178

Vulnerability details

Impact

If a user doesn't set a minimum (set to 0) of citadel expected in function deposit(), can receive 0 tokens in exchange, no matter the amount of asset he's depositing.

Proof of Concept

The funding contract is used to trade citadel token with another asset. A user wanting to trade uses the deposit() function to get tokens.Deposit() uses a second function to calculate the amount Out of tokens, getAmountOut().

https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/Funding.sol#L163

https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/Funding.sol#L177

If funding.discount is equal to 0, the getAmountOut() function will return 0 because it will not enter in the if branch and citadelAmount_ is not declared before and its value will be 0, so 0/anything =0.

https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/Funding.sol#L215

So the User could receive 0 tokens in exchange of any amount of asset in.

If the user sets a non zero minimum amount in deposit(), the function will revert and users are not going to be able to buy tokens. https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/Funding.sol#L178

Tools Used

Recommended Mitigation Steps

If funding.discount is equal to 0 return citadelAmount_ = citadelAmountWithoutDiscount/ assetDecimalsNormalizationValue https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/Funding.sol#L215

shuklaayush commented 2 years ago

18

jack-the-pug commented 2 years ago

Dup #149