search

sherlock-audit / 2023-02-bond-judging

2 stars 0 forks source link

xiaoming90 - Incorrect payout amount returned from the `BondBaseFPA.payoutFor` function (FPA only) #21

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

xiaoming90

high

Incorrect payout amount returned from the BondBaseFPA.payoutFor function (FPA only)

Summary

The BondBaseFPA.payoutFor return an incorrect payout amount.

Vulnerability Detail

The BondBaseFPA.payoutFor function relies on the BondBaseFPA.marketPrice function to fetch the market price. The market price is expected to be in the price ratio of quote tokens per payout token (Q/P).

File: BondBaseFPA.sol
350:     function payoutFor(
351:         uint256 amount_,
352:         uint256 id_,
353:         address referrer_
354:     ) public view override returns (uint256) {
355:         // Calculate the payout for the given amount of tokens
356:         uint256 fee = amount_.mulDiv(_teller.getFee(referrer_), ONE_HUNDRED_PERCENT);
357:         uint256 payout = (amount_ - fee).mulDiv(markets[id_].scale, marketPrice(id_));
358: 
359:         // Check that the payout is less than or equal to the maximum payout,
360:         // Revert if not, otherwise return the payout
361:         if (payout > markets[id_].maxPayout) {
362:             revert Auctioneer_MaxPayoutExceeded();
363:         } else {
364:             return payout;
365:         }
366:     }

However, due to a bug in the BondBaseFPA.marketPrice function, this function returns the price ratio of payout tokens per quote token (P/Q) instead of the ratio of quote tokens per payout token (Q/P). Refer to my other write-up titled "Incorrect market price returned from BondBaseFPA.marketPrice function (FPA Only)" on the bug in the BondBaseFPA.marketPrice function for more details. As a result, the payout computed will be incorrect.

Impact

If any internal function within the protocol relies on the BondBaseFPA.payoutFor function, it will receive the wrong result, thus causing computation error, which could potentially lead to loss of assets if it uses the incorrect result to determine the number of payout tokens to be issued (e.g. less payout token being issued to users).

In addition, since this is a public function, any external or third-party protocol that integrates with this function would also suffer the same problem.

Code Snippet

https://github.com/sherlock-audit/2023-02-bond/blob/main/bonds/src/bases/BondBaseFPA.sol#L350

Tool used

Manual Review

Recommendation

Remediate the bug in the BondBaseFPA.marketPrice function and ensure that it returns the market price in the format of quote tokens per payout token (Q/P).

Duplicate of #20

Oighty commented 1 year ago

Disagree with this finding. See comment on #20