Closed c4-bot-6 closed 2 months ago
hansfriese marked the issue as unsatisfactory: Invalid
Apply full credit since the warden has submitted by splitting the primary into two issues. Will invalidate #85 instead.
hansfriese marked the issue as not a duplicate
hansfriese marked the issue as satisfactory
hansfriese marked the issue as duplicate of #288
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/AccountingLibrary.sol#L256
Vulnerability details
Vulnerability details
when call
executeSellCreditMarket()
We can specify exactAmountIn=false and params.creditPositionId is same CreditPosition The code is as follows:The above code, mainly calculates
creditAmountIn
andfees
based oncashAmountOut
andfragmentationFee
After that,cashAmountOut
is transferred to msg.sender, fees is transferred to feeRecipient , and creditAmountIn is recorded as debt.Note:
fragmentationFee
should be borne bymsg.sender
, andcashAmountOut
is the value eventually transferred tomsg.sender
! So in fact, when calculatingswapFeePercent
, what is given to the user should be:to_borrower_token = cashAmountOut + fragmentationFee
, it's just that the final transfer tomsg.sender
is minusfragmentationFee
The above code uses the formula:
The second formula is wrong, using the data as an example:
Example. cashAmountOut = 100 ratePerTenor = 5% swapFeePercent = 1% fragmentationFee = 0.1
According to the current code formula. creditAmountIn = (100 + 0.1) 1.05 / 0.99 = 106.16666666667 fees = (cashAmountOut swapFeePercent) = 1
One of the formulas we want to ensure is: (to_borrower_token + fees ) (1 + ratePerTenor) = creditAmountIn But according to the above calculation it is not equal: ((100 + 0.1) + 1 ) 1.05 = 106.155 ≠ 106.16666666667
The second formula correctly should be: fees = (cashAmountOut + fragmentationFee) * swapFeePercent / (1 - swapFeePercent)
i.e.: fees = (100 + 0.1 ) * 0.01 / 0.99 = 1.01111111111
This ensures that: (to_borrower_token + fees ) (1 + ratePerTenor) = creditAmountIn => (100 + 0.1 + 1.01111111111) 1.05 = 106.166666667= 106.166666667
Impact
lender pays fees that are always less than the correct value
Recommended Mitigation
Assessed type
Math