The amount swapped in a zap call is not accurately calculated, leading to less liquidity being deposited and extra slippage loss incurred by users.
Proof of Concept
During the Zap where tokens are swapped, the _determineZapSwapAmount function calculates the exact number of tokens to swap to balance the amounts in to match the reserve ratio after the swap.
However, this makes an incorrect assumption that after the swap takes place, the liquidity deposit happens with no changes to the AMM pool occuring in between. However, the protocol actually does the in-protocol arbitrage during the swap, and this changes the reserve ratio of the underlying pool:
The liquidity deposit should take into account the protocol arbitrage that will take place during the swap to calculate the correct amount of tokens to swap.
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/pools/PoolMath.sol#L152
Vulnerability details
Impact
The amount swapped in a zap call is not accurately calculated, leading to less liquidity being deposited and extra slippage loss incurred by users.
Proof of Concept
During the Zap where tokens are swapped, the
_determineZapSwapAmount
function calculates the exact number of tokens to swap to balance the amounts in to match the reserve ratio after the swap.However, this makes an incorrect assumption that after the swap takes place, the liquidity deposit happens with no changes to the AMM pool occuring in between. However, the protocol actually does the in-protocol arbitrage during the swap, and this changes the reserve ratio of the underlying pool:
The call chain to the arbitrage is:
_dualZapInLiquidity
->depositSwapWithdraw
->_adjustReservesForSwapAndAttemptArbitrage
Tools Used
Manual Review
Recommended Mitigation Steps
The liquidity deposit should take into account the protocol arbitrage that will take place during the swap to calculate the correct amount of tokens to swap.
Assessed type
Math