Handling Potential Slippage Due to Truncation

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/adapters/CurveTricryptoAdapter.sol#L227

Vulnerability details

Impact

The potential slippage issue arises from the precision loss during decimal conversion in the primitiveOutputAmount function. When interacting with the Curve Tricrypto Pool, especially involving tokens with different decimal precisions, truncation can lead to a smaller outputAmount than expected. This discrepancy might cause transactions to fail due to slippage checks, impacting user experience and transaction efficiency.

Proof of Concept

Consider a user swapping tokens in the Shell Protocol:

• The user specifies a minimumOutputAmount expecting a certain level of precision.
• Due to the decimal conversion, the actual outputAmount might be slightly less due to truncation.
• If this reduced amount falls below the minimumOutputAmount, the transaction fails with a SLIPPAGE_LIMIT_EXCEEDED error, even though the difference might be negligible.

Tools Used

Recommended Mitigation Steps

• Implement a Slippage Tolerance Mechanism: Introduce a tolerance threshold for slippage checks to accommodate minor discrepancies caused by decimal truncation. This would prevent transactions from failing due to insignificant precision loss.

• Refine Decimal Conversion Logic: Enhance the _convertDecimals function to minimize the impact of truncation, possibly by implementing more sophisticated rounding strategies.

• User-Defined Slippage Settings: Allow users to set their own slippage tolerance levels, giving them more control over their transactions and the associated risks.

Assessed type

Decimal

[c4-pre-sort]

raymondfam marked the issue as insufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #87

[c4-judge]

0xA5DF marked the issue as unsatisfactory: Invalid