In the swapIn32502CA71 and swapInPermit2CEAAB576 functions, the contract assumes the returned swapAmountOut is negative and negates it before comparing to minOut. However, this assumption may not always hold true, potentially leading to incorrect comparisons and loss of funds.
require(-swapAmountOut >= int256(minOut), "min out not reached!");
Impact
If swapAmountOut is ever positive, this check will revert, preventing valid swaps. If it's negative but smaller in magnitude than minOut, the check will pass when it shouldn't, potentially allowing unfavorable swaps.
Proof of Concept
Consider a scenario where swapAmountOut is 100 (a positive value):
swapAmountOut = 100;
minOut = 50;
require(-100 >= 50, "min out not reached!"); // This will revert, blocking a valid swap
Now consider when swapAmountOut is -40:
swapAmountOut = -40;
minOut = 50;
require(40 >= 50, "min out not reached!"); // This will pass, allowing an unfavorable swap
Tools Used
Manual Review
Recommended Mitigation Steps
Remove the negation and use absolute value comparison:
require(abs(swapAmountOut) >= minOut, "min out not reached!");
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/sol/SeawaterAMM.sol#L276
Vulnerability details
Vulnerability Details
In the swapIn32502CA71 and swapInPermit2CEAAB576 functions, the contract assumes the returned
swapAmountOut
is negative and negates it before comparing tominOut
. However, this assumption may not always hold true, potentially leading to incorrect comparisons and loss of funds.Impact
If
swapAmountOut
is ever positive, this check will revert, preventing valid swaps. If it's negative but smaller in magnitude thanminOut
, the check will pass when it shouldn't, potentially allowing unfavorable swaps.Proof of Concept
Consider a scenario where
swapAmountOut
is 100 (a positive value):Now consider when swapAmountOut is -40:
Tools Used
Manual Review
Recommended Mitigation Steps
Remove the negation and use absolute value comparison:
Assessed type
Other