Closed c4-bot-10 closed 9 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
raymondfam marked the issue as high quality report
viraj124 (sponsor) acknowledged
we'll add the update soon
0xA5DF marked the issue as satisfactory
0xA5DF marked the issue as selected for report
I'm thinking of downgrading this to low, even for the low-decimals tokens (6 decimals) this is only 1e-6 of the 'traffic' in the contract. Meaning for each 1M USD worth of tokens passing through the function the protocol would lose 1 USD.
What do you think @viraj124? Is this an amount you'd consider meaningful? How much is the regular fee (without truncation) expected to be?
we have anywys fixed it and I feel we can mark it as low @0xA5DF the fee on ocean v2 is negligible
Got it, mitigation doesn't change the initial severity, but since the amount seems insignificant I'll downgrade it to low
0xA5DF changed the severity to QA (Quality Assurance)
0xA5DF marked the issue as grade-c
Closing due to total low quantity of QA findings by warden
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/adapters/OceanAdapter.sol#L55-L76
Vulnerability details
Impact
Detailed description of the impact of this finding. oceanAdapter.computeOutputAmount() fails to calculate the correct value for unwrappedAmount and thus will calculate the wrong value for outputAmount.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
oceanAdapter.computeOutputAmount() unwraps the input tokens and then calcualtes the outputAmount and finally wraps the output tokens.
https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/adapters/OceanAdapter.sol#L55-L76
However, the problem is that unwrapToken() considers the unwrapping fee as follows. It considers both the percentgage using function _calculateUnwrapFee() but also the truncated amount. In other words, the actual fee charge is amount/unwrapFeeDivisor + truncated, not amount/unwrapFeeDivisor!
Meanwhile, oceanAdapter.computeOutputAmount() fails to account the amount in
truncated
. As a result, the unwrapFee is smaller than it is supposed to be and the unwrappedAmount will be larger than it is supposed to be. Finally, theoutputAmount
will be calculated wrongly.The following POC confirms my finding: 1) There are three interactions. 2) The second interaction will eventually calls OceanAdaptor.computeOutputAmount() to unwrap 123456123456789012 input tokens from ocean.
3) Although only 123443 (6 decimals) = 123443000000000000 (18 decimals) wrapped usdc is unwrapped, the
unwrappedAmount
records a value of 123443777844443334, which is larger than is is supposed to be (123443000000000000).