The potential slippage issue arises from the precision loss during decimal conversion in the primitiveOutputAmount function. When interacting with the Curve Tricrypto Pool, especially involving tokens with different decimal precisions, truncation can lead to a smaller outputAmount than expected. This discrepancy might cause transactions to fail due to slippage checks, impacting user experience and transaction efficiency.
Proof of Concept
Consider a user swapping tokens in the Shell Protocol:
The user specifies a minimumOutputAmount expecting a certain level of precision.
Due to the decimal conversion, the actual outputAmount might be slightly less due to truncation.
If this reduced amount falls below the minimumOutputAmount, the transaction fails with a SLIPPAGE_LIMIT_EXCEEDED error, even though the difference might be negligible.
Tools Used
Recommended Mitigation Steps
Implement a Slippage Tolerance Mechanism: Introduce a tolerance threshold for slippage checks to accommodate minor discrepancies caused by decimal truncation. This would prevent transactions from failing due to insignificant precision loss.
Refine Decimal Conversion Logic: Enhance the _convertDecimals function to minimize the impact of truncation, possibly by implementing more sophisticated rounding strategies.
User-Defined Slippage Settings: Allow users to set their own slippage tolerance levels, giving them more control over their transactions and the associated risks.
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/adapters/CurveTricryptoAdapter.sol#L227
Vulnerability details
Impact
The potential slippage issue arises from the precision loss during decimal conversion in the primitiveOutputAmount function. When interacting with the Curve Tricrypto Pool, especially involving tokens with different decimal precisions, truncation can lead to a smaller outputAmount than expected. This discrepancy might cause transactions to fail due to slippage checks, impacting user experience and transaction efficiency.
Proof of Concept
Consider a user swapping tokens in the Shell Protocol:
Tools Used
Recommended Mitigation Steps
Implement a Slippage Tolerance Mechanism: Introduce a tolerance threshold for slippage checks to accommodate minor discrepancies caused by decimal truncation. This would prevent transactions from failing due to insignificant precision loss.
Refine Decimal Conversion Logic: Enhance the _convertDecimals function to minimize the impact of truncation, possibly by implementing more sophisticated rounding strategies.
User-Defined Slippage Settings: Allow users to set their own slippage tolerance levels, giving them more control over their transactions and the associated risks.
Assessed type
Decimal