search

sherlock-audit / 2023-12-dodo-gsp-judging

6 stars 5 forks source link

0xMaroutis - Users can lose funds when buying shares or executing flashLoan #162

Closed sherlock-admin closed 6 months ago

sherlock-admin commented 6 months ago

0xMaroutis

medium

Users can lose funds when buying shares or executing flashLoan

Summary

During the buying of shares or the execution of a flashloan, the protocol does not refund the user for the unused tokens.

Vulnerability Detail

When buying shares, the function only uses the minimum amount provided between the base input and quote input.

uint256 mintRatio = quoteInputRatio < baseInputRatio ? quoteInputRatio : baseInputRatio;

If the user send more quote tokens than input tokens or the system used less tokens than the one provided, the user does get refunded the unused tokens.

In the same way, the flashLoan function calculates the minimum amount that should be received by the contract : 

(
                uint256 receiveBaseAmount,
                uint256 mtFee,
                PMMPricing.RState newRState,
                uint256 newQuoteTarget
            ) = querySellQuote(tx.origin, quoteInput); // revert if quoteBalance<quoteReserve
            require(
                (uint256(_BASE_RESERVE_) - baseBalance) <= receiveBaseAmount,
                "FLASH_LOAN_FAILED"
            );

(
                uint256 receiveQuoteAmount,
                uint256 mtFee,
                PMMPricing.RState newRState,
                uint256 newBaseTarget
            ) = querySellBase(tx.origin, baseInput); // revert if baseBalance<baseReserve
            console.log(uint256(_QUOTE_RESERVE_));
            console.log(quoteBalance);
            console.log(receiveQuoteAmount);
            require(
                (uint256(_QUOTE_RESERVE_) - quoteBalance) <= receiveQuoteAmount,
                "FLASH_LOAN_FAILED"
            );

However, it does not refund any additional tokens provided that were not used, in case provided tokens > receiveQuoteAmount or provided tokens > receiveBaseAmount.

This loss can be even more pronounced if there is a sudden price change due to increased volatility, a higher slippage factor k, or because of high value trades.

Impact

Loss of funds for users.

Code Snippet

https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPTrader.sol#L138-L141 https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPTrader.sol#L186-L189 https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPFunding.sol#L69

Tool used

Manual Review

Recommendation

Refund back the unused tokens to users.

Duplicate of #74