An incorrect if condition is used in the decodeWellData() function in Stable2 contract, where decimal0 is checked instead of decimal1 before assigning a value to decimal1. This oversight can lead to incorrect scaling of reserves, which could have significant downstream effects on the functionality of the contract.
Impact
The issue in the decodeWellData() function where decimal0 is incorrectly checked instead of decimal1 has significant consequences. This function is responsible for decoding and validating the token decimal values used throughout the contract. The error can lead to the following issues:
Incorrect Scaling of Reserves: The getScaledReserves function scales reserves to 18 decimals using decimal1. If decimal1 is zero, this scaling will fail, resulting in incorrect reserve values being used in calculations.
Faulty LP Token Supply Calculation: The calcLpTokenSupply function uses these scaled reserves to calculate the supply of LP tokens. Incorrect reserve values could lead to an inaccurate supply calculation, impacting liquidity provision and withdrawal.
Inaccurate Rate Calculations: The calcRate function also depends on correctly scaled reserves. With incorrect scaling, the rate between the tokens in the pool could be inaccurately calculated, leading to potential losses for users engaging in swaps.
Price Inaccuracy in calcReserveAtRatioSwap and calcReserveAtRatioLiquidity: Both functions rely on accurate reserve scaling to ensure the correct target price is reached. A zero value in decimal1 could result in improper adjustments, leading to price slippage or even reversion of transactions.
Proof of Concept
In the decodeWellData() function, the logic to ensure that decimal1 defaults to 18 decimals if it is zero is incorrect. The current implementation mistakenly checks decimal0 instead of decimal1:
if (decimal0 == 0) { // @audit should be decimal1 == 0
decimal1 = 18;
}
This means that decimal1 will only be set to 18 if decimal0 is zero, which is not the intended behavior. If decimal1 is zero but decimal0 is not, decimal1 will remain zero, leading to incorrect scaling in downstream calculations.
Tools Used
Manual Review
Recommended Mitigation Steps
Change the if condition to check decimal1 instead of decimal0:
- if (decimal0 == 0) {
+ if (decimal1 == 0) {
decimal1 = 18;
}
Lines of code
https://github.com/code-423n4/2024-07-basin/blob/7d5aacbb144d0ba0bc358dfde6e0cc913d25310e/src/functions/Stable2.sol#L317
Vulnerability details
An incorrect
ifcondition is used in thedecodeWellData()function inStable2contract, wheredecimal0is checked instead ofdecimal1before assigning a value todecimal1. This oversight can lead to incorrect scaling of reserves, which could have significant downstream effects on the functionality of the contract.Impact
The issue in the
decodeWellData()function wheredecimal0is incorrectly checked instead ofdecimal1has significant consequences. This function is responsible for decoding and validating the token decimal values used throughout the contract. The error can lead to the following issues:Incorrect Scaling of Reserves: The
getScaledReservesfunction scales reserves to 18 decimals usingdecimal1. Ifdecimal1is zero, this scaling will fail, resulting in incorrect reserve values being used in calculations.Faulty LP Token Supply Calculation: The
calcLpTokenSupplyfunction uses these scaled reserves to calculate the supply of LP tokens. Incorrect reserve values could lead to an inaccurate supply calculation, impacting liquidity provision and withdrawal.Inaccurate Rate Calculations: The
calcRatefunction also depends on correctly scaled reserves. With incorrect scaling, the rate between the tokens in the pool could be inaccurately calculated, leading to potential losses for users engaging in swaps.Price Inaccuracy in
calcReserveAtRatioSwapandcalcReserveAtRatioLiquidity: Both functions rely on accurate reserve scaling to ensure the correct target price is reached. A zero value indecimal1could result in improper adjustments, leading to price slippage or even reversion of transactions.Proof of Concept
In the
decodeWellData()function, the logic to ensure thatdecimal1defaults to 18 decimals if it is zero is incorrect. The current implementation mistakenly checksdecimal0instead ofdecimal1:https://github.com/code-423n4/2024-07-basin/blob/7d5aacbb144d0ba0bc358dfde6e0cc913d25310e/src/functions/Stable2.sol#L317
This means that
decimal1will only be set to18ifdecimal0is zero, which is not the intended behavior. Ifdecimal1is zero butdecimal0is not,decimal1will remain zero, leading to incorrect scaling in downstream calculations.Tools Used
Manual Review
Recommended Mitigation Steps
Change the
ifcondition to checkdecimal1instead ofdecimal0:Assessed type
Invalid Validation