Invalid or Unexpected Return Values in `previewUnitaryAddLiquidity` Function

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x427591f2d369cdc84151cc5950aaa0a2683c7f0c792aaacb1721a3c7c49812e5 Severity: high

Description: Summary:

• The CurveLiqArbitrage.sol#L33-#L56 function fails to validate the return values of last_prices() and coins(0) from the curvePool contract, which can lead to unexpected behavior. A user can input a malicious curvePool address to manipulate return values from these functions, causing potential calculation errors, transaction reversion, or unintended behavior within the function.

Vulnerability Details:

1. Function: previewUnitaryAddLiquidity
2. Location:
   • last_prices() call, which lacks validation to prevent zero or extremely large values.
   • coins(0) call, which may not point to an ERC-20 token with a valid decimals() function.
3. Impact: Division by zero, underflows, or other calculation errors.
4. Root Cause: Lack of validation on last_prices() and coins(0) return values.

Code Reference:

uint256 lastPrices = ICurvePool(curvePool).last_prices();
uint256 tokenUnit = 10 ** IERC20Metadata(ICurvePool(curvePool).coins(0)).decimals();

return ICurvePool(curvePool).calc_token_amount([amountToken0, amountToken1]).mulDiv(
    tokenUnit,
    depositInToken0
);

Suggested Fix: Add validation checks for both last_prices() and coins(0) before calculations:

// Validate last_prices
uint256 lastPrices = ICurvePool(curvePool).last_prices();
require(lastPrices > 0, "Invalid last_prices value");

// Validate coins(0) and its decimals
address token0 = ICurvePool(curvePool).coins(0);
require(token0 != address(0), "Invalid token0 address");

uint256 tokenDecimals;
try IERC20Metadata(token0).decimals() returns (uint8 decimals) {
    tokenDecimals = decimals;
} catch {
    revert("Invalid token0 decimals");
}

uint256 tokenUnit = 10 ** tokenDecimals;

// Proceed with calc_token_amount calculation
uint256 result;
try ICurvePool(curvePool).calc_token_amount([amountToken0, amountToken1]) returns (uint256 calcAmount) {
    result = calcAmount.mulDiv(tokenUnit, depositInToken0);
} catch {
    revert("Invalid calc_token_amount calculation");
}

return result;

[yanisepfl]

Hello,

Invalid for the same reason as: https://github.com/hats-finance/Spectra-0x4b792db3d2a5d1c1ccf9938380756b200c240e5d/issues/11

Thanks