When user's interaction type is ComputeOutputAmount, the unwrap fee applies twice and if the unwrap fee is 5% at first, it becomes 9.75% and users will receive 90.25% of amount instead of 95%.
Proof of Concept
When users provide some input token and get output token, they make an interaction.
Here the interaction type is ComputeOutputAmount.
And they call doInteraction function in the Ocean.sol.
As we can see at line 67, we have to unwrap the token. Again another interaction for unwrapping the input token. And also there is the line for unwrap fee at 70 and the input amount decreases by the unwrap fee. But the problem is when calling unwrapToken, there is a fee collection.
As we can see at line 866 and 867, there is a fee collection and the amount is decreased by the fee.
But as we have seen earlier in IOceanPrimitive(primitive).computeOutputAmount, after unwrapToken function, there is fee collection again. And this means user has to pay the fee twice and will get the smaller amount than expected.
Tools Used
Manual review
Recommended Mitigation Steps
I think fee collection in _erc20Unwrap function is essential, so it is good to remove fee collection in the IOceanPrimitive(primitive).computeOutputAmount
Lines of code
https://github.com/Shell-Protocol/Shell-Protocol/blob/c1e3615130dcbbd307ce72e444290a327f8db69c/src/ocean/Ocean.sol#L694
Vulnerability details
Impact
When user's interaction type is ComputeOutputAmount, the unwrap fee applies twice and if the unwrap fee is 5% at first, it becomes 9.75% and users will receive 90.25% of amount instead of 95%.
Proof of Concept
When users provide some input token and get output token, they make an interaction. Here the interaction type is ComputeOutputAmount. And they call
doInteraction
function in the Ocean.sol.[210-218] And this calls
_doInteraction
function.[380]
In the
_executeInteration
function they carry on calculation by interactionType.[597]
In the
_computeOutPutAmount
it callsIOceanPrimitive(primitive).computeOutputAmount
function.[745-765]
IOceanPrimitive(primitive).computeOutputAmount
function equalscomputeOutputAmount
function in OceanAdapter.sol.[55-76]
As we can see at line 67, we have to unwrap the token. Again another interaction for unwrapping the input token. And also there is the line for unwrap fee at 70 and the input amount decreases by the unwrap fee. But the problem is when calling unwrapToken, there is a fee collection.
[121-133]
To execute the above interaction, function
_executeInteration
in theOcean.sol
is called and this time theInteractionType
isUnwrapErc20
[628-633]
And finally in the
_erc20Unwrap
function there is a fee collection[864-880]
As we can see at line 866 and 867, there is a fee collection and the amount is decreased by the fee.
But as we have seen earlier in
IOceanPrimitive(primitive).computeOutputAmount
, afterunwrapToken
function, there is fee collection again. And this means user has to pay the fee twice and will get the smaller amount than expected.Tools Used
Manual review
Recommended Mitigation Steps
I think fee collection in
_erc20Unwrap
function is essential, so it is good to remove fee collection in theIOceanPrimitive(primitive).computeOutputAmount
Assessed type
Other