Beneficiary would get unfair of quote amount if the converted tokens are equal
Summary
In flash function after the trader transfer and swapperFlashCallback is done, an amountToBeneficiary is sent to Beneficiary address by _transferToBeneficiary function which is calling getQuoteAmounts to transfer it to Beneficiary address on L231
Now an internal call must happens inside getQuoteAmounts function which is the function _getQuoteAmount and here inside this function the issue occurs. (explained in Vulnerability Detail)
Vulnerability Detail
On _getQuoteAmount function there is a skip for oracle price if the converted tokens are equal. that leaves us with a default sense that no need to get the price since they are the same which looks logical from the first sight, but Unfortunately it is not.
Lets check the code carefully on L258
you can see the formula here is relaying on scaledOfferFactor
Now in case po.scaledOfferFactor is 99% the issue can happen, lets assume the beneficiary token USDC: A trader can propose a quote with 100000 USDC but the Beneficiary gets 99000 USDC.
evo
medium
Beneficiary would get unfair of quote amount if the converted tokens are equal
Summary
In
flash
function after the trader transfer and swapperFlashCallback is done, anamountToBeneficiary
is sent to Beneficiary address by_transferToBeneficiary
function which is calling getQuoteAmounts to transfer it to Beneficiary address on L231Now an internal call must happens inside
getQuoteAmounts
function which is the function_getQuoteAmount
and here inside this function the issue occurs. (explained in Vulnerability Detail)Vulnerability Detail
On _getQuoteAmount function there is a skip for oracle price if the converted tokens are equal. that leaves us with a default sense that no need to get the price since they are the same which looks logical from the first sight, but Unfortunately it is not. Lets check the code carefully on L258
you can see the formula here is relaying on scaledOfferFactor
Now in case
po.scaledOfferFactor
is 99% the issue can happen, lets assume the beneficiary token USDC: A trader can propose a quote with 100000 USDC but the Beneficiary gets 99000 USDC.baseAmount = 100000 USDC scaledOfferFactor = 99% = 99_00_00 PERCENTAGE_SCALE = 100% = 100_00_00 100000 * 990000 / 1000000 = 99000 USDC
Note: A bad actor might repeat or make this action with large amounts for the current and future funds at the swapper contract.
Impact
Unfairness of quote amount value that Beneficiary will get if the base token equal the quote token.
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-oracle/src/UniV3OracleImpl.sol#L258-L260 https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperImpl.sol#L231 https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperImpl.sol#L218
Tool used
Manual Review
Recommendation
Disallow swapping/trading when the base token equal the quote token.
Duplicate of #104