search

code-423n4 / 2023-09-goodentry-mitigation-findings

0 stars 0 forks source link

M-07 MitigationConfirmed #40

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

Vulnerability details

Comments

TokenisableRange.deposit uses user input when calculating fees, but the user may input an imperfect proportion of tokens. All excess tokens should be returned to the user and should not be involved in fee calculations. Billing users for all inputted tokens, resulting in additional fees and loss of user funds.

Mitigation

feeLiquidity = newLiquidity * ( (fee0 * TOKEN0_PRICE / 10 ** token0decimals) + (fee1 * TOKEN1_PRICE / 10 ** token1decimals) )   
                                    / ( (added0   * TOKEN0_PRICE / 10 ** token0decimals) + (added1   * TOKEN1_PRICE / 10 ** token1decimals) );

The reconstructed deposit removes the complex double charging mechanism and only charges LP after adding liquidity, which eliminates this issue.

Conclusion

LGTM

c4-judge commented 12 months ago

gzeon-c4 marked the issue as satisfactory

c4-judge commented 12 months ago

gzeon-c4 marked the issue as confirmed for report