AUTO_COMPOUND action allows for compound your gains into liquidity. It additionally allows for swaps in the middle. There is a faulty condition though, which is never effective and does not allow to set token1 as targetToken, namely else if (state.token0 == state.token1):
} else if (params.action == Action.AUTO_COMPOUND) {
if (params.targetToken == state.token0) {
_swapAndIncrease(
//[...]
// @audit it should be params.targetToken == state.token1 Currently it doesn't allow for a swap
@> } else if (state.token0 == state.token1) {
_swapAndIncrease(
//[...]
} else {
// compound without swap
_swapAndIncrease(
//[...]
}
Because pools cannot have the same token0 and token1, there is no possible position that will fulfill this condition. Looking at other parts of the codebase and params passed to _swapAndIncrease() in this code branch, what the protocol wants to achieve is to check if params.targetToken == state.token1 and perform swap similarly to params.targetToken == state.token0 branch.
Lines of code
https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/src/V3Automation.sol#L158
Vulnerability details
Impact
Protocol functionality broken
Proof of Concept
AUTO_COMPOUND
action allows for compound your gains into liquidity. It additionally allows for swaps in the middle. There is a faulty condition though, which is never effective and does not allow to settoken1
as targetToken, namelyelse if (state.token0 == state.token1)
:Because pools cannot have the same token0 and token1, there is no possible position that will fulfill this condition. Looking at other parts of the codebase and params passed to
_swapAndIncrease()
in this code branch, what the protocol wants to achieve is to check ifparams.targetToken == state.token1
and perform swap similarly toparams.targetToken == state.token0
branch.Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Error