search

code-423n4 / 2023-08-shell-findings

4 stars 2 forks source link

swapGivenInputAmount checks the wrong result out #258

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-shell/blob/c61cf0e01bada04c3d6055acb81f61955ed600aa/src/proteus/EvolvingProteus.sol#L295

Vulnerability details

Impact

Wrong check amount results in unusable function.

Proof of Concept

swapGivenInputAmount calcaultes the value of result after calling _swap(). The check then requires that result < 0. However, the comment states that amount cannot be less than 0.

swapGivenInputAmount
        );
        int256 result = _swap(
            FEE_DOWN,
            int256(inputAmount),
            int256(xBalance),
            int256(yBalance),
            inputToken
        );
->      // amount cannot be less than 0 
->      require(result < 0); // contradicts the comment

In swapGivenOutputAmount, result must be greater than 0. 

swapGivenOutputAmount
        int256 result = _swap(
            FEE_UP,
            -int256(outputAmount),
            int256(xBalance),
            int256(yBalance),
            outputToken
        );

        // amount cannot be less than 0
->      require(result > 0);
->      inputAmount = uint256(result);

Tools Used

VS Code

Recommended Mitigation Steps

Make sure that the require statement in swapGivenInputAmount() is correct. 

 // amount cannot be less than 0
-        require(result < 0);
+        require(result > 0);
        // output amount validations against the current balance
        outputAmount = uint256(-result);

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

0xRobocop marked the issue as duplicate of #89

c4-pre-sort commented 1 year ago

0xRobocop marked the issue as low quality report

c4-judge commented 1 year ago

JustDravee marked the issue as unsatisfactory: Invalid