Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/pools/PoolStats.sol#L104-L127

Vulnerability details

Impact

The _calculateArbitrageProfits function consistently divides the profit into three equal parts, regardless of the validity of the corresponding pool. This can result in other valid pools receiving reduced revenue.

Proof of Concept

    function _calculateArbitrageProfits( bytes32[] memory poolIDs, uint256[] memory _calculatedProfits ) internal view
        {
        for( uint256 i = 0; i < poolIDs.length; i++ )
            {
            // references poolID(arbToken2, arbToken3) which defines the arbitage path of WETH->arbToken2->arbToken3->WETH
            bytes32 poolID = poolIDs[i];

            // Split the arbitrage profit between all the pools that contributed to generating the arbitrage for the referenced pool.
    //@audit  it should divide the amount of valid pools
            uint256 arbitrageProfit = _arbitrageProfits[poolID] / 3;
            if ( arbitrageProfit > 0 )
                {
                ArbitrageIndicies memory indicies = _arbitrageIndicies[poolID];

                if ( indicies.index1 != INVALID_POOL_ID )
                    _calculatedProfits[indicies.index1] += arbitrageProfit;

                if ( indicies.index2 != INVALID_POOL_ID )
                    _calculatedProfits[indicies.index2] += arbitrageProfit;

                if ( indicies.index3 != INVALID_POOL_ID )
                    _calculatedProfits[indicies.index3] += arbitrageProfit;
                }
            }
        }

Tools Used

Manual Review

Recommended Mitigation Steps

Split the arbitrageProfit according to the correct amount of valid pools.

Assessed type

Decimal

code-423n4 / 2024-01-salty-findings

The accumulation of `arbitrageProfit` may be handled inaccurately #749