when call executeSellCreditMarket()
We can specify exactAmountIn=false and params.creditPositionId == RESERVED_ID
This will generate new CreditPositions
The code is as follows:
The above code, mainly calculates creditAmountIn and fees based on cashAmountOut = params.amount.
After that, cashAmountOut is transferred to msg.sender, fees is transferred to feeRecipient , and creditAmountIn is recorded as debt.
The second formula is wrong
Because: cashAmountOut is what the actual user receives, swapFeePercent should not be multiplied by this value.
The normal formula should be: fees = (cashAmountOut + fees ) * swapFeePercent
Derived as:
=> fees = cashAmountOut * swapFeePercent / (1 - swapFeePercent)
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/AccountingLibrary.sol#L249
Vulnerability details
Vulnerability details
when call
executeSellCreditMarket()
We can specifyexactAmountIn=false
andparams.creditPositionId == RESERVED_ID
This will generate newCreditPositions
The code is as follows:The above code, mainly calculates
creditAmountIn
andfees
based oncashAmountOut = params.amount
. After that,cashAmountOut
is transferred tomsg.sender
,fees
is transferred tofeeRecipient
, andcreditAmountIn
is recorded as debt.The calculation formula is:
The second formula is wrong Because:
cashAmountOut
is what the actual user receives,swapFeePercent
should not be multiplied by this value. The normal formula should be:fees = (cashAmountOut + fees ) * swapFeePercent
Derived as: =>fees = cashAmountOut * swapFeePercent / (1 - swapFeePercent)
This ensures that:
(cashAmountOut + fees) * (1 + ratePerTenor) = creditAmountIn
Impact
lender
pays fees that are always less than the correct valueRecommended Mitigation
Assessed type
Math