search

code-423n4 / 2024-03-saltyio-mitigation-findings

0 stars 0 forks source link

E-01 MitigationConfirmed #114

Open c4-bot-1 opened 4 months ago

c4-bot-1 commented 4 months ago

Lines of code

Vulnerability details

Lines of code

Vulnerability details

Additional Scope Issue

https://github.com/othernet-global/salty-io/commit/f16623e6bf1cdb0845b83ebf3592e30885a8fc61

Comments

The commit specifically removed the arbitrage operation when zapping in liquidity. it also set a limitation on how much can be zapped to reduce risk of slippage, and limit is it should be no more than 1% as can be seen below:

    // Prevent users from zapping too much at once as they may encounter unexpected slippage
    if ( flipped )
        require( zapSwapAmountIn < reserves.reserve1 / 100, "Cannot zap more than 1% of the reserves" );
    else
        require( zapSwapAmountIn < reserves.reserve0 / 100, "Cannot zap more than 1% of the reserves" );

Of note however, is the commit title "zapping limited to 1% of reserves to prevent excessive slippage." which hints that the intention is to keep zapping amount limited to 1% or less of reserves, but the condition in code is slightly more restrictive, only allowing zap amounts less than 1%. although impact is negligible, the conditional check can be changed to "<=" to exactly match intention.

Conclusion

LGTM

liveactionllama commented 4 months ago

Updating the ID label here, simply for consistency across all warden submissions.

c4-judge commented 4 months ago

Picodes marked the issue as satisfactory

c4-judge commented 4 months ago

Picodes marked the issue as confirmed for report