search

code-423n4 / 2024-01-salty-findings

4 stars 3 forks source link

Zap Swap Calculation Is Inaccurate Due To Arbitrage Changing The Reserve Ratio #281

Open c4-bot-5 opened 5 months ago

c4-bot-5 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/pools/PoolMath.sol#L152

Vulnerability details

Impact

The amount swapped in a zap call is not accurately calculated, leading to less liquidity being deposited and extra slippage loss incurred by users.

Proof of Concept

During the Zap where tokens are swapped, the _determineZapSwapAmount function calculates the exact number of tokens to swap to balance the amounts in to match the reserve ratio after the swap.

However, this makes an incorrect assumption that after the swap takes place, the liquidity deposit happens with no changes to the AMM pool occuring in between. However, the protocol actually does the in-protocol arbitrage during the swap, and this changes the reserve ratio of the underlying pool:

The call chain to the arbitrage is:

_dualZapInLiquidity -> depositSwapWithdraw -> _adjustReservesForSwapAndAttemptArbitrage

Tools Used

Manual Review

Recommended Mitigation Steps

The liquidity deposit should take into account the protocol arbitrage that will take place during the swap to calculate the correct amount of tokens to swap.

Assessed type

Math

c4-judge commented 5 months ago

Picodes marked the issue as duplicate of #250

c4-judge commented 4 months ago

Picodes changed the severity to QA (Quality Assurance)

c4-judge commented 4 months ago

Picodes marked the issue as grade-b