Closed c4-bot-1 closed 2 months ago
The report is of sufficient quality
3docSec marked the issue as satisfactory
3docSec marked the issue as selected for report
We taking fee based on liquidity value of position. It doesn't matter if tokens in position is meme or high value token.
The recommendation of a fixed fee is inconsistent with the protocol intent. Taking a fee from one of the swapped tokens (that may be worthless) is industry standard
3docSec marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/src/Common.sol#L657-L695
Vulnerability details
Impact
Loss of funds
Proof of Concept
SwapAndMint
swaps the given path of tokens or token to the set of tokens:At L:205 the function calls
_prepareSwap
to convertmsg.value
to the chosen protocol´s WETH and pulls more funds if required. At L:214, the fees are deducted by passing the params, and_deductFees
is called. And finally_swapAndMint
is called at L: 230._swapAndMint
function is below:At L:367,
_swapAndPrepareAmounts
is called._swapAndPrepareAmounts
swaps the tokens to tokens by the input parameters. Accordingly, the conditions are as follows:As can be seen at L:486, if the
swapSourceToken
is nottoken0
andtoken1
, it swaps theswapSourceToken
totoken0
andtoken1
. And the fees are deducted fromswapSourceToken
accordingly.However, this opens a vector for 2 conditions.
swapSourceToken
can be a worthless high decimal token likePEPE
: So that the deducted fee does not add any value to the protocolswapSourceToken
can be an expensive one like WBTC (6 decimals) or GUSD (2 decimals): Accordingly, the fees for GUSD/PEPE or WBTC/PEPE swap would hit the user hard, being abnormal compared to other ones.Tools Used
Manual Review
Recommended Mitigation Steps
If the protocol intends to have a rational fee over the amounts, we recommend implementing price checks over the Oracles. E.g., The swap fee is fixed on a 1 USD fee, then the 1 USD worth of ETH/WETH can be pulled during this execution
Assessed type
Other