swapGivenInputAmount calcaultes the value of result after calling _swap(). The check then requires that result < 0. However, the comment states that amount cannot be less than 0.
swapGivenInputAmount
);
int256 result = _swap(
FEE_DOWN,
int256(inputAmount),
int256(xBalance),
int256(yBalance),
inputToken
);
-> // amount cannot be less than 0
-> require(result < 0); // contradicts the comment
In swapGivenOutputAmount, result must be greater than 0.
swapGivenOutputAmount
int256 result = _swap(
FEE_UP,
-int256(outputAmount),
int256(xBalance),
int256(yBalance),
outputToken
);
// amount cannot be less than 0
-> require(result > 0);
-> inputAmount = uint256(result);
Tools Used
VS Code
Recommended Mitigation Steps
Make sure that the require statement in swapGivenInputAmount() is correct.
// amount cannot be less than 0
- require(result < 0);
+ require(result > 0);
// output amount validations against the current balance
outputAmount = uint256(-result);
Lines of code
https://github.com/code-423n4/2023-08-shell/blob/c61cf0e01bada04c3d6055acb81f61955ed600aa/src/proteus/EvolvingProteus.sol#L295
Vulnerability details
Impact
Wrong check amount results in unusable function.
Proof of Concept
swapGivenInputAmount calcaultes the value of result after calling _swap(). The check then requires that result < 0. However, the comment states that amount cannot be less than 0.
In swapGivenOutputAmount, result must be greater than 0.
Tools Used
VS Code
Recommended Mitigation Steps
Make sure that the require statement in swapGivenInputAmount() is correct.
Assessed type
Invalid Validation