The commit specifically removed the arbitrage operation when zapping in liquidity. it also set a limitation on how much can be zapped to reduce risk of slippage, and limit is it should be no more than 1% as can be seen below:
// Prevent users from zapping too much at once as they may encounter unexpected slippage
if ( flipped )
require( zapSwapAmountIn < reserves.reserve1 / 100, "Cannot zap more than 1% of the reserves" );
else
require( zapSwapAmountIn < reserves.reserve0 / 100, "Cannot zap more than 1% of the reserves" );
Of note however, is the commit title "zapping limited to 1% of reserves to prevent excessive slippage." which hints that the intention is to keep zapping amount limited to 1% or less of reserves, but the condition in code is slightly more restrictive, only allowing zap amounts less than 1%. although impact is negligible, the conditional check can be changed to "<=" to exactly match intention.
Lines of code
Vulnerability details
Lines of code
Vulnerability details
Additional Scope Issue
https://github.com/othernet-global/salty-io/commit/f16623e6bf1cdb0845b83ebf3592e30885a8fc61
Comments
The commit specifically removed the arbitrage operation when zapping in liquidity. it also set a limitation on how much can be zapped to reduce risk of slippage, and limit is it should be no more than 1% as can be seen below:
Of note however, is the commit title "zapping limited to 1% of reserves to prevent excessive slippage." which hints that the intention is to keep zapping amount limited to 1% or less of reserves, but the condition in code is slightly more restrictive, only allowing zap amounts less than 1%. although impact is negligible, the conditional check can be changed to "<=" to exactly match intention.
Conclusion
LGTM