XO-Zero Price Leads to Incorrect Calculation in _convertByFromPrice and _convertByToPrice Functions
Summary
Thevulnerability is in the _convertByToPrice() function especially in the priceBase and toBase. If price is zero, then this multiplication will result in a zero value. This will cause the mulDiv() function to return a zero value, which will be incorrect.
Vulnerability Detail
*/
function _convertByFromPrice(
address fromToken,
address toToken,
uint256 fromAmount,
MathUpgradeable.Rounding rounding,
uint256 price,
uint256 priceBase
) internal view virtual returns (uint256) {
uint256 fromBase = 10 ** IERC20Metadata(fromToken).decimals();
uint256 toBase = 10 ** IERC20Metadata(toToken).decimals();
return fromAmount.mulDiv(price * toBase, priceBase * fromBase, rounding);
}
/**
* @notice Converts the amount when the price is based on `toToken`, reverts if `price` is zero.
* @param fromToken Address of source token
* @param toToken Address of target token
* @param fromAmount Amount of `fromToken`
* @param rounding Rounding mode to calculate return value
* @param price The exchange rate of `toToken`/`fromToken`
* @param priceBase Ten to the power of the price decimal (10 ** price decimal)
* @return Amount of `toToken`
*/
function _convertByToPrice(
address fromToken,
address toToken,
uint256 fromAmount,
MathUpgradeable.Rounding rounding,
uint256 price,
uint256 priceBase
) internal view virtual returns (uint256) {
uint256 fromBase = 10 ** IERC20Metadata(fromToken).decimals();
uint256 toBase = 10 ** IERC20Metadata(toToken).decimals();
return fromAmount.mulDiv(priceBase * toBase, price * fromBase, rounding);
}
}
The vulnerability is in the _convertByToPrice() function, is used to convert an amount of tokens from one token to another.
The function takes the following parameters:
fromToken: The address of the source token.
toToken: The address of the target token.
fromAmount: The amount of tokens to be converted.
rounding: The rounding mode to be used when calculating the converted amount.
price: The exchange rate of fromToken/toToken.
priceBase: The base of the exchange rate.
so the problem is in the line of code that multiplies priceBase and toBase. If price is zero, then this multiplication will result in a zero value. This will cause the mulDiv() function to return a zero value, which will be incorrect.
Impact
The function is possible for to return a zero value, which would be incorrect. This could cause users to lose money if they rely on the function to return the correct value.
Here is an example : Alice wants to swap 100 tokens for 200 tokens. She calls the _convertByToPrice() function with the following parameters:
Alice has 100 tokens in her account. However, the vulnerabilityin the code does not check if price is zero. In this case, price is zero, so the mulDiv() function will return a zero value. This means that Alice will receive 0 tokens, which is a loss of 100 tokens.
XDZIBEC
high
XO-Zero Price Leads to Incorrect Calculation in _convertByFromPrice and _convertByToPrice Functions
Summary
Thevulnerability is in the
_convertByToPrice()
function especially in thepriceBase
andtoBase
. If price is zero, then this multiplication will result in a zero value. This will cause themulDiv()
function to return a zero value, which will be incorrect.Vulnerability Detail
The vulnerability is in the
_convertByToPrice()
function, is used to convert anamoun
t of tokens fromone
token toanother
. The function takes the following parameters:fromToken
: The address of the source token.toToken
: The address of the target token.fromAmoun
t: The amount of tokens to be converted.rounding
: The rounding mode to be used when calculating the converted amount.price
: The exchange rate of fromToken/toToken.priceBase
: The base of the exchange rate.so the problem is in the line of code that multiplies
priceBase
andtoBase
. If price iszero
, then thismultiplication
will result in azero
value. This will cause themulDiv()
function to return azero
value, which will be incorrect.Impact
The function is possible for to return a
zero
value, which would be incorrect. This could cause users to lose money if they rely on the function to return the correct value.Here is an example : Alice wants to swap
100
tokens for200
tokens. She calls the_convertByToPrice()
function with the following parameters:Alice has
100
tokens in her account. However, the vulnerabilityin the code does not check if price iszero
. In this case, price is zero, so themulDiv()
function will return a zero value. This means that Alice will receive0
tokens, which is a loss of100
tokens.Code Snippet
Tool used
Manual Review
Recommendation
_convertByToPrice()
function to see if price is zero. If it is, then the function should revert.