`calculate_ann` function not calculating `amplification * n^n`

[c4-bot-7]

Lines of code

https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/math/src/stableswap/math.rs#L399-L401

Vulnerability details

Issue Description

The stableswap math module necessitates the calculation of the product amplification * n^n, which is used in determining both D and Y values (in calculate_d_internal and calculate_y_internal respectively). These values are essential for various liquidity and shares operations.

However, the calculate_ann function, which is responsible for computing the value of amplification * n^n, currently only calculates the product amplification * n instead:

//@audit calculating amplification*n instead of amplification*n^n
const fn calculate_ann(n: usize, amplification: Balance) -> Option<Balance> {
    amplification.checked_mul(n as u128)
}

This oversight results in incorrect values of D and Y being returned by calculate_d_internal and calculate_y_internal respectively. Consequently, incorrect shares or asset amounts will be added or removed from the stableswap pools, potentially leading to financial losses for users and the protocol.

Impact

The incorrect calculation of amplification * n^n in the calculate_ann function may result in financial losses for both users and the protocol.

Tools Used

Manual review, VS Code

Recommended Mitigation

To rectify this issue, the calculate_ann function must calculate the correct product:

const fn calculate_ann(n: usize, amplification: Balance) -> Option<Balance> {
--  amplification.checked_mul(n as u128)
++  (0..n).try_fold(amplification, |acc, _| acc.checked_mul(n as u128))
}

By incorporating this modification, the function will accurately compute amplification * n^n, ensuring correct values for D and Y, and mitigating the risk of financial losses for users and the protocol.

Assessed type

Error

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #153

[c4-judge]

OpenCoreCH marked the issue as unsatisfactory: Insufficient proof