search

code-423n4 / 2023-07-basin-findings

1 stars 0 forks source link

`ConstantProduct2` functions don't enforce reserve arrays with length 2. #84

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-basin/blob/main/src/functions/ConstantProduct2.sol#L49 https://github.com/code-423n4/2023-07-basin/blob/main/src/functions/ConstantProduct2.sol#L58 https://github.com/code-423n4/2023-07-basin/blob/main/src/functions/ConstantProduct2.sol#L79 https://github.com/code-423n4/2023-07-basin/blob/main/src/functions/ConstantProduct2.sol#L92

Vulnerability details

Impact

Although the contract ConstantProduct2 is designed to work with Wells of 2 tokens, it doesn't employ any enforcement on that, which allows it to be used with multi tokens Wells.

Proof of Concept

In that scenario, regardless of the tokens being traded, the contract will always output the calculation regarding the first 2 reserves, which can possibly lead to incorrect values and broken invariants.

Tools Used

Manual review

Recommended Mitigation Steps

Add a requirement statement that reserves.length == 2

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

141345 marked the issue as low quality report

c4-pre-sort commented 1 year ago

141345 marked the issue as duplicate of #163

c4-judge commented 1 year ago

alcueca changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

alcueca marked the issue as selected for report

c4-judge commented 1 year ago

alcueca marked the issue as grade-a

c4-judge commented 1 year ago

alcueca marked the issue as not selected for report