search

code-423n4 / 2024-07-basin-findings

9 stars 6 forks source link

pd.currentPrice in calcReserveAtRatioSwap() is not updated correctly. #59

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-07-basin/blob/7d5aacbb144d0ba0bc358dfde6e0cc913d25310e/src/functions/Stable2.sol#L226

Vulnerability details

Impact

currentPrice is converged towards targetPrice as reserve of token0 or token1 changes.

for (uint256 k; k < 255; k++) {
            scaledReserves[j] = updateReserve(pd, scaledReserves[j]);

            // calculate scaledReserve[i]:
            scaledReserves[i] = calcReserve(scaledReserves, i, lpTokenSupply, abi.encode(18, 18));
            // calc currentPrice:
            pd.currentPrice = _calcRate(scaledReserves, i, j, lpTokenSupply);
            ....
}

lpTokenSupply is calculated from scaledReserves which is updated inside for loop. But lpTokenSupply in here is calculated only once before for loop and keeps unchanged.

Tools Used

Manual audit

Recommended Mitigation Steps

            // calc currentPrice:
-           pd.currentPrice = _calcRate(scaledReserves, i, j, lpTokenSupply);
+           pd.currentPrice = calcRate(scaledReserves, i, j, abi.encode(18, 18));

Assessed type

Other

c4-judge commented 2 months ago

alex-ppg marked the issue as unsatisfactory: Invalid