Open code423n4 opened 1 year ago
Valid report, but impact shown is up to 1Dollar
@bin2chen66 please do send an instance with higher impact if you can generate it
If impact is at that size I will downgrade to QA Low
@GalloDaSballo Tried and could not generate Agree with you
GalloDaSballo changed the severity to QA (Quality Assurance)
L
m19 marked the issue as sponsor confirmed
We confirm this issue but we agree with the judge that the impact is very low and thus should be considered QA/low.
GalloDaSballo marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/KUMASwap.sol#L309-L310
Vulnerability details
Impact
Unnecessary precision loss in redeemKIBT()
Proof of Concept
If enter Deprecated mode, user can redeem StableCoin by percentage with redeemKIBT()
The redeemKIBT() implementation code is as follows:
Simplify the formula:
The above formula
amount * StableCoinBalance / 10**18
maybe have the possibility of precision loss and StableCoinBalance as usdc's decimals == 6It is recommended to use
redeemAmount = amount * StableCoinBalance / totalSupply
Test code:
Tools Used
Recommended Mitigation Steps