The calculation of cashAmountIn when there is credit fractionalization. In the case of credit fractionalization (creditAmountOut < maxCredit), the code calculates cashAmountIn as follows: getCashAmountIn#L326-L327
However, this calculation needs to be corrected. The fragmentationFee should not be added to cashAmountIn because it is already included in the calculation of the fees in the next line: getCashAmountIn#L329
In the case of credit fractionalization (creditAmountOut < maxCredit), the fragmentationFee is added to both cashAmountIn and fees. This leads to double-counting of the fragmentation fee, resulting in an incorrect calculation of cashAmountIn.
The correct calculation should only include the fragmentationFee in the fees calculation, not in cashAmountIn.
Let's say creditAmountOut is 800, maxCredit is 1000, ratePerTenor is 10%, and state.feeConfig.fragmentationFee is 5.
With the current implementation
netCashAmountIn = 800 * 100 / (100 + 10) ≈ 727.27
cashAmountIn = 727.27 + 5 = 732.27
fees = getSwapFee(state, 727.27, tenor) + 5
However, the correct calculation should be
netCashAmountIn = 800 * 100 / (100 + 10) ≈ 727.27
cashAmountIn = 727.27
fees = getSwapFee(state, 727.27, tenor) + 5
Tools Used
Vs
Recommended Mitigation Steps
The calculation of cashAmountIn should be updated to
This way, the fragmentationFee is only included in the fees calculation, and cashAmountIn represents the correct amount of cash required to obtain the desired credit amount.
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/AccountingLibrary.sol#L326-L327 https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/AccountingLibrary.sol#L329 https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/AccountingLibrary.sol#L303-L336
Vulnerability details
Impact
The calculation of
cashAmountIn
when there is credit fractionalization. In the case of credit fractionalization (creditAmountOut < maxCredit)
, the code calculatescashAmountIn
as follows: getCashAmountIn#L326-L327However, this calculation needs to be corrected. The
fragmentationFee
should not be added tocashAmountIn
because it is already included in the calculation of the fees in the next line: getCashAmountIn#L329By adding
fragmentationFee
to bothcashAmountIn
andfees
, the function is double-counting the fragmentation fee, which may lead to incorrect results.Proof of Concept
Link to the
getCashAmountIn
function in theAccountingLibrary.sol
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/AccountingLibrary.sol#L303-L336In the case of credit fractionalization
(creditAmountOut < maxCredit)
, the fragmentationFee is added to bothcashAmountIn
and fees. This leads to double-counting of the fragmentation fee, resulting in an incorrect calculation ofcashAmountIn
.The correct calculation should only include the
fragmentationFee
in thefees
calculation, not incashAmountIn
.Let's say
creditAmountOut
is 800,maxCredit
is 1000,ratePerTenor
is 10%, andstate.feeConfig.fragmentationFee
is 5.With the current implementation
netCashAmountIn
= 800 * 100 / (100 + 10) ≈ 727.27cashAmountIn
= 727.27 + 5 = 732.27fees
= getSwapFee(state, 727.27, tenor) + 5However, the correct calculation should be
netCashAmountIn
= 800 * 100 / (100 + 10) ≈ 727.27cashAmountIn
= 727.27fees
= getSwapFee(state, 727.27, tenor) + 5Tools Used
Vs
Recommended Mitigation Steps
The calculation of
cashAmountIn
should be updated toThis way, the
fragmentationFee
is only included in thefees
calculation, andcashAmountIn
represents the correct amount of cash required to obtain the desired credit amount.Assessed type
Math