Closed sherlock-admin closed 6 months ago
The intention of the system is to only have OHM pairs, but this is technically possible
@0xJem the whole purpose of BunniSupply is to track ohm pairs which is clearly noted in this comment here so suggest to keep invalid since this would constitute future integrations
Fix looks good. Adds extra check.
cu5t0mPe0
high
_getOhmReserves calculates the number of ohm incorrectly
Summary
When the
_getOhmReserves
function calculates the ohm in the uniswap pool, if the pool does not contain ohm, the function will return an incorrect ohm amount.Vulnerability Detail
[BunniSupply.sol#_getOhmReserves](https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/SPPLY/submodules/BunniSupply.sol#L399-L409)
When this function determines whether it is Ohm, that is, if token0 is not Ohm, then token1 will be recognized as Ohm.
However, according to the project's reply, the pool does not necessarily contain ohm token, so an incorrect result will be returned in the end.
Impact
Returns an incorrect ohm amount as a result, affecting function:
getProtocolOwnedLiquidityOhm
Code Snippet
https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/SPPLY/submodules/BunniSupply.sol#L399-L409
Tool used
Manual Review
Recommendation
Both token0 and token1 should determine whether they are ohm tokens.