search

code-423n4 / 2023-05-juicebox-findings

1 stars 1 forks source link

`_tokenCount` is calculated assuming `_weightRatio == 10**18` #270

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-juicebox/blob/9d0458282511ff269b3b35b5b082b56d5cc08663/juice-buyback/contracts/JBXBuybackDelegate.sol#L150

Vulnerability details

Impact

JBXBuybackDelegate may mint a different and incorrect amount of tokens than what would otherwise have been minted in the terminal.

Proof of Concept

In JBXBuybackDelegate the total number of tokens to mint is calculated in payParams() at L150 as

uint256 _tokenCount = PRBMath.mulDiv(_data.amount.value, _data.weight, 10 ** 18);

This value will be used to choose between the mint or swap pathway (L156), and may be the actual number of tokens minted in didPay() (L205 or L207).

If the tokens are not minted by JBXBuybackDelegate then the number of tokens to mint in the terminal is instead calculated in JBSingleTokenPaymentTerminalStore3_1.recordPaymentFrom() at L427 as

tokenCount = PRBMath.mulDiv(_amount.value, _weight, _weightRatio);

_weightRatio is calculated just before

uint256 _weightRatio = _amount.currency == _baseWeightCurrency
    ? 10**_decimals
    : prices.priceFor(_amount.currency, _baseWeightCurrency, _decimals);

and so is not necessarily 10**18. This means that _tokenCount in JBXBuybackDelegate may be different from tokenCount in the terminal and lead to a different and incorrect amount of tokens minted.

Recommended Mitigation Steps

Perform the same calculation of _tokenCount in JBXBuybackDelegate as in the terminal.

Assessed type

Context

c4-pre-sort commented 1 year ago

dmvt marked the issue as duplicate of #92

c4-judge commented 1 year ago

dmvt changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

dmvt marked the issue as grade-b