search

code-423n4 / 2023-08-shell-findings

3 stars 2 forks source link

```swapGivenInputAmount()``` will always revert #192

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-shell/blob/c61cf0e01bada04c3d6055acb81f61955ed600aa/src/proteus/EvolvingProteus.sol#L296

Vulnerability details

Impact

swapGivenInputAmount(...) will always revert leading to a Denial of service.

Proof of Concept

A call to swapGivenInputAmount(...) will always revert owing to the logic implementation in the function.

    function swapGivenInputAmount(
        uint256 xBalance,
        uint256 yBalance,
        uint256 inputAmount,
        SpecifiedToken inputToken
    ) external view returns (uint256 outputAmount) {
        ...

        int256 result = _swap(
            FEE_DOWN,
            int256(inputAmount),
            int256(xBalance),
            int256(yBalance),
            inputToken
        );
        // amount cannot be less than 0
        require(result < 0);

        ...
    }

The _swap(...) function returns a positive signed integer value cached in result. However, the function requires that result must be negative for this reason the check will not pass and this will lead to the function reverting.

Tools Used

Manual review.

Recommended Mitigation Steps

Change the less than sign to greater than as shown below

    function swapGivenInputAmount(
        uint256 xBalance,
        uint256 yBalance,
        uint256 inputAmount,
        SpecifiedToken inputToken
    ) external view returns (uint256 outputAmount) {
        ...

        int256 result = _swap(
            FEE_DOWN,
            int256(inputAmount),
            int256(xBalance),
            int256(yBalance),
            inputToken
        );
        // amount cannot be less than 0
        require(result > 0);

        ...
    }

Assessed type

DoS

c4-pre-sort commented 1 year ago

0xRobocop marked the issue as low quality report

0xRobocop commented 1 year ago

Invalid

result returned by _swap in swapGivenInputAmount should be negative.

c4-pre-sort commented 1 year ago

0xRobocop marked the issue as primary issue

c4-judge commented 1 year ago

JustDravee marked the issue as unsatisfactory: Invalid