Closed howlbot-integration[bot] closed 2 months ago
hansfriese marked the issue as not a duplicate
Duplicate of #288. Will apply 75% partial credit as it found 1 of 2 incorrect instances.
hansfriese changed the severity to 3 (High Risk)
hansfriese marked the issue as duplicate of #288
hansfriese marked the issue as partial-75
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/AccountingLibrary.sol#L249
Vulnerability details
Impact
The
getCreditAmountIn
function calculates the amount of fees inaccurately, causing them to be less than intended by the protocol. As a result, there will be a loss of funds for the protocol as the fee recipient will not receive the full amount of swap fees.Proof of Concept
The
getCreditAmountIn
function is used in theSellCreditMarket.sol
contract when the caller has setparams.exactAmountIn
to false. It calculates the amount of swap fees that the fee recipient is going to receive the following way:As we can see the fee is derived as a percent of
cashAmountOut
. The issue is thatcashAmountOut
is the same amount of funds that will be sent to the borrower:The problem is that in all other functions, that calculate cash/credit input and output amounts(
getCashAmountOut, getCreditAmountIn, getCreditAmountOut, getCashAmountIn
) from theAccountingLibrary.sol
contract the fees are always derived from an amount greater than the cash that the borrower will actually receive. For example: 1/ IngetCashAmountOut
:Here the fees are derived from
maxCashAmountOut
, andcashAmountOut
is sent to the borrower. Therefore, when this method is used the fees would be greater than ifgetCreditAmountIn
was used.2/ In
getCreditAmountOut
:However, here the cash sent to the borrower is not
cashAmountIn
, but:Therefore, here the fees are again derived from an amount greater than the cash actually sent to the borrower.
3/ In
getCashAmountIn
:This is the same as the example above, as again the cash sent to the borrower is:
Tools Used
Manual review
Recommended Mitigation Steps
Consider deriving the fees in
getCreditAmountIn
as follows:Assessed type
Math