search

hats-finance / Common--Stableswap-0xd4d9a2772202ce33b24901d3fc94e95a84b37430

Apache License 2.0
0 stars 0 forks source link

`token_rate.update_rate` isn't correctly #8

Open hats-bug-reporter[bot] opened 3 months ago

hats-bug-reporter[bot] commented 3 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xdc37c2af460bbb4924d6cff57b5511047ee7597fca5e42aa8469c205a9d4d63a Severity: medium

Description: Description\ token_rate.update_rate's implemenation isn't correctly, by abusing the issue, stale price might be used.

token_rate.update_rate is used by lib.update_rates, and lib.update_rates is used by lib._swap_exact_in, lib._swap_exact_out and other functions, I will take lib._swap_exact_in as an example.

  1. While lib._swap_exact_in is called, self.update_rates is called in lib.rs#L440
  2. then in lib.update_rates, rate.update_rate will be called in lib.rs#L319
  3. then the code flow goes to token_rate.update_rate
  4. if token_rate.rs#L55 is executed, the code flow will go to token_rate.rs#L90-L96
  5. In token_rate.update_rate, the function first check if the rate is outdated, then update the price if the rate is outdated., which is incorrect for a token that has rapid change rate. 
    90     pub fn update_rate(&mut self, current_time: u64) -> bool {
91         if self.is_outdated(current_time) { <<<--- the function first check if the rate is outdated, and then update the  rate if so
92             self.update(current_time)
93         } else {
94             false
95         }
96     }

Attack Scenario\ Please consider in a case the tokenA:tokenB = 1:1, at some point, due some reason, tokenA:tokenB = 100:1, because of the check in token_rate.rs#L91 returns false, so the stale price will be used.

The pool will lost assets.

Attachments

whoismxuse commented 3 months ago

dup of #7