Incorrect Amplification Coefficient Scaling in StableSwap Contracts

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0xca7711493d278c5dc733a88e0111ddbe6bb16bf6ce891e3898aab1fe2aa3774f Severity: medium

Description: Description\ In the StableSwapTwoPool and StableSwapThreePool contracts, the amplification coefficient _A is described in the comments as being scaled by n * (n - 1).

 * @param _A: Amplification coefficient multiplied by n * (n - 1)

This scaling is intended to adjust the amplification coefficient for use in the stable swap invariant equation. However, this formula is incorrect for pools with more than two tokens. The correct scaling should be n**(n-1)i.e n^(n-1)and not n*(n-1) to ensure accurate calculations in the stable swap algorithm.

Attack Scenario\ For a pool with exactly two tokens (lets say n = 2), the formulas 2 * (2 - 1) and 2^(2-1) retuns the same result, so the issue is not critical in this specific case. However, for pools with more than two tokens, such as the StableSwapThreePool contract, the discrepancy becomes significant. Using the incorrect scaling factor can lead to inaccurate calculations when swapping between tokens, potentially resulting in incorrect token amounts being exchanged.

Attachments

1. Proof of Concept (PoC) File

Consider a pool with three tokens (n = 3).

The current scaling formula n * (n - 1) would calculate the scaling factor as 3 * (3 - 1) = 6. However, the correct scaling factor should be n^(n-1) = 3^(3-1) = 9. This difference in scaling can lead to significant errors in the invariant calculations and the resulting swap amounts.

affected code:

StableSwapFactory.sol

 /**
     * @notice createThreePoolPair
     * @param _tokenA: Addresses of ERC20 conracts .
     * @param _tokenB: Addresses of ERC20 conracts .
     * @param _tokenC: Addresses of ERC20 conracts .
     * @param _A: Amplification coefficient multiplied by n * (n - 1)@audit-incorrect formula used
     * @param _fee: Fee to charge for exchanges
     * @param _admin_fee: Admin fee
     */
    function createThreePoolPair(
        address _tokenA,
        address _tokenB,
        address _tokenC,
        uint256 _A,
        uint256 _fee,
        uint256 _admin_fee
    ) external onlyAdmin {

StableSwapThreePool.sol

/**
     * @notice initialize
     * @param _coins: Addresses of ERC20 conracts of coins (c-tokens) involved
     * @param _A: Amplification coefficient multiplied by n * (n - 1)@audit-incorrect formula
     * @param _fee: Fee to charge for exchanges
     * @param _admin_fee: Admin fee
     * @param _owner: Owner
     * @param _LP: LP address
     */
    function initialize(
        address[N_COINS] memory _coins,
        uint256 _A,
        uint256 _fee,
        uint256 _admin_fee,
        address _owner,
        address _LP

StableSwapTwoPool.sol

    /**
     * @notice initialize
     * @param _coins: Addresses of ERC20 conracts of coins (c-tokens) involved
     * @param _A: Amplification coefficient multiplied by n * (n - 1)@audit-incorrect formula
     * @param _fee: Fee to charge for exchanges
     * @param _admin_fee: Admin fee
     * @param _owner: Owner
     * @param _LP: LP address
     */
    function initialize(
        address[N_COINS] memory _coins,
        uint256 _A,
        uint256 _fee,
        uint256 _admin_fee,
        address _owner,
        address _LP

2. Revised Code File (Optional)
   • use n**(n-1)

Additional resources: Same issue found in the connext which is also inspired by curve and the issue was found by the spearbit report

issue : 5.2.11

fix: https://github.com/connext/monorepo/commit/d7262e9e82e0f5c49d8fc31ba4352bfeac9c44fe

pr : https://github.com/connext/monorepo/pull/2353

[aktech297]

I think, its comment error. the implementation correctly using A value. check test

[omega-audits]

Thanks for your submission So typo's or errors in the documentation are not usually rewarded - as you can see from the rules. Can you please indicate where in the code there is an issue here?