search

code-423n4 / 2024-05-bakerfi-findings

4 stars 4 forks source link

_payDebt() quoteExactOutputSingle should use _swapFeeTier #34

Closed c4-bot-2 closed 5 months ago

c4-bot-2 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/59b1f70cbf170871f9604e73e7fe70b70981ab43/contracts/core/strategies/StrategyLeverage.sol#L546

Vulnerability details

Vulnerability details

in _payDebt() We need to calculate amountIn first.

     function _payDebt(uint256 debtAmount, uint256 fee) internal {
        _repay(wETHA(), debtAmount);
        // Get a Quote to know how much collateral i require to pay debt
        (uint256 amountIn, , , ) = uniQuoter().quoteExactOutputSingle(
@>          IQuoterV2.QuoteExactOutputSingleParams(ierc20A(), wETHA(), debtAmount + fee, 500, 0)
        );    

        _withdraw(ierc20A(), amountIn, address(this) );

        uint256 output = _swap(
            ISwapHandler.SwapParams(
                ierc20A(),
                wETHA(),
                ISwapHandler.SwapType.EXACT_OUTPUT,
                amountIn,
                debtAmount + fee,
@>              _swapFeeTier,
                bytes("")
            )
        );
        // When there are leftovers from the swap, deposit then back
        uint256 wethLefts = output > (debtAmount + fee) ? output - (debtAmount + fee) : 0;
        if (wethLefts > 0) {
            _supply(wETHA(), wethLefts);
        }
        emit StrategyUndeploy(msg.sender, debtAmount);
    }

In the above method, QuoteExactOutputSingleParams.fee is hardcoded to a fixed value of 500 whereas it should correctly use _swapFeeTier.

Impact

Using the incorrect FeeTier could lead to inaccuracies in amountIn, resulting in a failed swap.

Recommended Mitigation

      function _payDebt(uint256 debtAmount, uint256 fee) internal {
        _repay(wETHA(), debtAmount);
        // Get a Quote to know how much collateral i require to pay debt
        (uint256 amountIn, , , ) = uniQuoter().quoteExactOutputSingle(
-           IQuoterV2.QuoteExactOutputSingleParams(ierc20A(), wETHA(), debtAmount + fee, 500, 0)
+           IQuoterV2.QuoteExactOutputSingleParams(ierc20A(), wETHA(), debtAmount + fee, _swapFeeTier, 0)
        );    

        _withdraw(ierc20A(), amountIn, address(this) );

Assessed type

Context

c4-judge commented 5 months ago

0xleastwood marked the issue as primary issue

c4-judge commented 5 months ago

0xleastwood marked issue #38 as primary and marked this issue as a duplicate of 38

c4-judge commented 5 months ago

0xleastwood marked the issue as satisfactory

c4-judge commented 5 months ago

0xleastwood marked the issue as not a duplicate

c4-judge commented 5 months ago

0xleastwood marked the issue as duplicate of #38

c4-judge commented 5 months ago

0xleastwood changed the severity to 3 (High Risk)