Closed c4-bot-10 closed 4 months ago
Picodes marked the issue as satisfactory
Picodes marked the issue as duplicate of #101
Hi @Picodes! Thanks for your continous work!
Just thought i would add that a few points here given tnat this issue was labeled as a duplicate of #101 :
Although both issues revolve around the bit shifting mechanism, this issue claims that due to shifting up and then down, the function might return an incorrect value due to precision loss. I'll have to also add I'm not convinced of the severity of this issue, a POC would have helped bolster the claims made.
Mine describes another issue altogether, where the function can return 0 via conditional check in line 120(n1 <= n0), due to bit shifting 'imbalanced' pools. It also provides a working POC.
The mitigation required for both issues will also be completely different. Indeed, the sponsor confirmed and mitigated my issue specifically. This issue is yet to be mitigated if any.
Happy to hear your thoughts on this!
@genesiscrew isn't #101 issue about precision loss as well? Both issues revolve around the fact that the last shifted
bits of the reserves are forgotten.
When the values of any of the shifted variables are small after shifting, the precision loss is maximal and we are at risk of either reverting as shown here, finding an incorrect value in bestArbAmountIn
, or even finding 0 in the extreme cases as in #101.
As far as mitigation is concerned, unless I am missing something the current mitigation proposed by the sponsor does not mitigate fully the precision loss but tries to minimize it so the issues may still occur.
Note that in both cases, the impact should remain minimal unless one of the tokens as way less decimals than the other
Yes you are correct. After some thoought it seems the essence of both issues is the same. Thanks!
Lines of code
https://github.com/othernet-global/salty-io/blob/53feaeb0d335bd33803f98db022871b48b3f2454/src/arbitrage/ArbitrageSearch.sol#L137-L146
Vulnerability details
Comments
The original implementation used
_bisectionSearch()
to figure out the best arbitrage opportunity, which is inefficient and may completely miss arbitrage profits.Mitigation
commit a54656d commit 53feaeb The best arbitrage value can be calculated by a simple formula. The mitigation used the suggested formula to find out the arbitrage opportunity. If necessary, all reserves will be right shifted before calculation to prevent overflow. Once the arbitrage value exists, all reserves will be left shifted to verify the result.
New issue
The result of arbitrage verification could be incorrect due to precision loss caused by shifting.
Links to affected code
https://github.com/othernet-global/salty-io/blob/53feaeb0d335bd33803f98db022871b48b3f2454/src/arbitrage/ArbitrageSearch.sol#L137-L146
Vulnerability details
The mitigation didn't utilize the original reserves to verify if arbitrage profit exists. If a shift occurred, all reserves could be less than the original values after right-shifting then left-shifting, resulting in an incorrect result.
Tools Used
Manual review
Recommended Mitigation Steps
Use the original reserve values for arbitrage verification:
Assessed type
Math